Drupal Security Expert Interview - Meet Mike Gifford!

Mike Gifford - the author of the Drupal Security Best Practices

In this second interview of the "Drupal Security Expert" series we're pleased to welcome Mike Gifford. Mike is the president of OpenConcept Consulting Inc, a Canadian Benefit Corporation that specializes in open-source web development and hosting. He is a Drupal 8 Accessibility Maintainer and also passionate about security and privacy. He is the author of the Drupal Security Best Practices - a practical guide which summarizes many of the ways to tighten the security of your Drupal site, which is available for free - http://openconcept.ca/drupal-security


How can developers build maximal security into Drupal 8 sites?

We've outlined some of the security issues that have been addressed in Drupal 8 Core, and which security modules have been upgraded to Drupal 8 http://openconcept.ca/drupal-security
Many of the modules that you can use in Drupal 7 have not yet been upgraded to Drupal 8. Supporting efforts to port those modules would help to ensure your sites are more secure with Drupal 8.
There are lots of great improvements in Core.  The elimination of PHP Filter from Core & implementation of Twig will do a lot to develop better coding practices with a lot of teams. 
As tempting as it is to run on the new fast PHP 7, PHP-FPM or HHVM frameworks, hold off until they are a bit more mature if you can. 
There is so much that can be secured on the server, consider starting with a new machine with a fresh operating system.  Consider using Debian 8.x Stable (Jessie) or Ubuntu 14.04 (Trusty Tahr). Make sure your server is secure before you start putting Drupal 8 on it. 
Support module maintainers to put out stable release of their code. The Drupal Update infrastructure doesn't support dev or git releases. Also, worth noting that modules that are published on external repositories like GitHub are not supported by the Drupal Security infrastructure. 

How can I be sure that my site really is secure?

Your site is never completely secure.  Nothing on the Internet is 100% secure.  
Internet Security is about balancing costs & risks.  Where are your priorities?
There is no need to do everything we've outlined in our Security Guide, but these are things that are worth considering before you set up your site. 
Use fewer modules and do what you can to only use stable releases in production sites. Use as little custom code as possible. 
Consider doing a security review on the modules that you use and publishing your results in their issue queue. Note to follow the proper procedures if you find a security flaw. 
Document what your configuration and consider contributing documentation back to Drupal.org to see that it is as clear to everyone. Ensure that you have clear security policies set within your organization. 
Develop with Git and make sure you test your backups regularly. 

What general advice can you give to Drupal shops about security in Drupal 8?

Drupal 8 is a lot better than previous versions of Drupal.  Unfortunately it's always going to be a lot of work to do it right. 
The temptation to hack Core or Contributed modules while your team gets up-to-speed with Drupal 8 is going to be pretty high. This is ultimately going to make the long term sustainability of the site be that much harder. 
In Drupal 7, contributed modules really didn't get enough support. Far too many modules wouldn't work, unless you used a dev release. This really isn't acceptable, and hopefully more shops step up and find ways to contribute to Drupal 8. There is finally a means for Drupal Shops to get recognition for the contributions that they make to the community, so make the most of it. 
It's going to be tempting to run with code that is half-baked as clients eagerly try to move to Drupal 8. There will be extra costs in the next year, as people get trained and processes change.  Expect the unexpected and make sure to budget to allow for extra time for your team to review and improve projects you choose to use. 

With Drupal Core, think about getting $10 million dollars worth of software for freehttps://www.openhub.net/p/drupal/estimated_cost - with the 50-100 modules you choose to use, this would at least double.  Remind your clients of what they are getting and find a more ways to give back. Don't get caught up in the Free as in Beer or Free as in Speech discussion. Think of it as Free as in Kittens - find a way to nurture what you choose to use. 
Social engineering is a significant way that clients websites can be hacked. Drupal shops can play a stronger role in educating their clients and insuring that there are agreed to procedures for critical communications. There are many components which go into a modern website, some of which a client may have direct control over. Drupal shops should be ensuring that clients take the time to document and secure those properly. 


Enjoy also the security interviews with Greg Knaddison and David Snopek!