Drupal Security Expert Interview - focus on Greg Knaddison!

Greg Knadisson - Drupal Security Team member

Greg Knaddison is a longtime member of the Drupal Security Team and was the Team Lead for two years. He currently leads the engineering team at CARD.com, a mobile alternative to traditional branch banks. In 2008, Greg published Cracking Drupal, the only book to cover the topic of Securing Drupal Sites. In the interview below he reveals his security expert assessment of current questions about Drupal 8 - get secure!


What does the release of Drupal 8 mean for the security of Drupal?

There are many security improvements in Drupal 8 that make it one of the safest versions of Drupal by default. Features which are available in 7 by modules or patches on drupal.org are already built into Drupal 8. For example, Drupal 8 has [clickjacking protection](https://www.drupal.org/node/2514136) which requires a [contrib](https://www.drupal.org/project/seckit) in Drupal 7. In Drupal 8 the [->orderBy method is protected against SQL Injection](https://www.drupal.org/node/829464) but only part of that feature was backported to Drupal 7. However, Drupal 8 is pretty big rewrite of  codebase and it is highly likely that there will be a period where security bugs are found in Drupal 8 at a faster rate than in Drupal 7.

How will the integration of Symfony components impact its security?

In general, reusing code that is used elsewhere should improve security: the more eyeballs looking at code the safer it is. However, we've seen some cases where some 3rd party code makes assumptions about how it is used that don't match well with the use cases of Drupal. For example, Drupal includes the /vendor/ directory in a web-accessible location which is more likely to work on more hosting configurations, but some 3rd party code is [vulnerable to XSS](https://www.drupal.org/node/2585165) if placed in a web accessible location. There's also an increased problem of coordination - the Drupal Security Team and Symfony Security Team have to coordinate with many more people than in the past and having more people involved in a release generally increases the chances for confusion and problems.

What general advice can you give Drupal shops about security in Drupal 8?

Part of why Drupal is secure is because companies and projects have done security audits of it. There have been many more security audits of Drupal 7 than Drupal 8. As you begin working with Drupal 8, keep a very open mind about where there might be security weaknesses and probe to try to find them. Encourage project stakeholders to hire a third-party web application security company to perform an audit and share the results with the Drupal Security Team if possible. Now is the time to work together to make Drupal 8 as secure as possible by auditing the code. Also, any bugs found in Drupal 8 are [eligible for a bounty](bugs: https://www.drupal.org/drupal8-security-bounty) - you can get paid to find security bugs.


Enjoy also the security interviews with Mike Gifford and David Snopek!