Drupal Security Expert Interview - David Snopek about site security
David Snopek makes our "Drupal Security Expert Interview" series round! He is a founder of myDropWizard.com and a long-time Drupal developer and community member. Among other things, he co-maintains the Panopoly distribution, is a member of the Drupal security team, and co-organizes the local Drupal meetup group in Milwaukee, WI. Enjoy his expert estimation below!
What are the most important maintenance factors for keeping a Drupal site secure?
It's three main things:
(1) Secure code: Make sure you're not using a version of Drupal core or any contrib modules with known security vulnerabilities. If you have custom modules or themes, you'll need to audit them for security best practices (there are some tools to help with this, like pareview.sh).
(2) Secure server: Use HTTPS, make all the security updates from your OS, ensure that the webserver user doesn't have permission to write executable code files, etc. This isn't really Drupal-specific and there are loads of resources on the web. Using a managed hosting environment (like Pantheon, for example) will take most of this off your plate so you can focus on other things.
(3) Secure configuration: Make sure you aren't granting too powerful permissions to untrusted user roles, ensure that trusted users have secure passwords (or two-factor authentication), and that you don't introduce any additional vulnerabilities with your site configuration (more on that in the next question).
What specific tasks need to be done one a regular basis once a site goes live to keep it secure?
Definitely, staying on top of security updates when they come out. :-) But you should also make sure that you don't introduce any configurations that make your site less secure! What many people don't know is that it's possible to introduce XSS vulnerabilities, or make it easier to escalate an XSS vulnerability to an arbitrary PHP execution vulnerability, just by making some bad choices in the Drupal admin pages.
The Security Review module will audit your site for the most common configuration problems and explain how to fix them. Running it periodically will help you make sure you haven't accidentally introduced any problems.
What general advice can you give to Drupal shops about security in Drupal 8?
Drupal 8 will much more secure out-of-the-box than previous versions of Drupal! Peter Wolanin (another security team member) has a great article about this: https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secur...
The biggest in my mind is Twig and automatic escaping. The most common type of vulnerability in Drupal 7 is XSS, and this will make it much harder to introduce XSS vulnerabilities in contrib modules. However, many of the best practices are the same! The Security Review module has a -dev version for Drupal 8, so it's a good place to start. That said, it does have a few bugs and doesn't (yet!) include any checks specific to Drupal 8 security.
Something new that affects Drupal 8 is the 'vendor' directory which contains 3rd party code that isn't really meant to be accessible via the web, and can include unexpected vulnerabilities in things like example and test code. While Drupal 8 has some protections to mitigate this danger, the safest thing to do is simply moving the 'vendor' directory outside of the web root. This project on GitHub demonstrates how to do that: https://github.com/drupal-composer/drupal-project.