Unfortunately I could not appreciate this Drupalcamp fully, since I've arrived late and needed to leave soon to help cure my flu. However, I did enjoy meeting the welcoming Slovaks from the gentlemen who helped us get to the venue and get back home finding the right way out of Bratislava to the organizers and attendees of the event.
I've had the opportunity before to talk about Drupal Security at Drupalcamp Cologne last year. This time however, I decided to do a talk from the ground up and get better organized. The Is Drupal secure? session from Four Kitchens was most inspiring. I thought it was a great idea to take the OWASP top 10 risk list and give the Drupal answers to those. However, the 2010 list was quite a bit different to the 2007 one that David and company used and I decided to take more of a developer perspective.
Photos by Martin Valasek
The string of thought in my session started with reminding you how much affected you could be. I've just read Newsweek's Lay Off the Layoffs on that morning and was fascinated by one statistic. According to a Gallup survey, 16% to 19% of employees actively disengage with their company (sabotage the performance of their employer). You can look further for attack sources, but you might not need to.
I tried to reiterate my most important message at multiple times: all of us are involved with security. From your hosting provider through the operating system and (possibly) LAMP stack you install to Drupal itself and its modules and themes, including any custom code you add. It is the responsibility of authors of all the software involved to ensure best security, so your custom code should be handled with as much care, and secure settings are not just the icing, they are absolutely essential. One insecure setting, and your website could fall over.
Yes, security presentations are out to scare you in some way. I did attempt to downplay open redirections a little bit though. Not that they are not very bad for your website, but Drupal core was not entirely protected against them (and I obviously could not tell you that). While simple attacks would fail most of the time, a little trickery could get you unvalidated remote redirections on Drupal 6.15 and below. Fortunately the Drupal security team was already hard at work to solve this issue and we released Drupal 6.16 with a fix and a security announcement for this a few days after Drupalcamp Bratislava.
So with all that, I'm finally able to publish my session slides for your adrenaline filled enjoyment. Have fun and stay secure.