Drupal security @ Techday7 event

First I want to say few about TechDay7 and Drupal.

Techday7:- This an event which will held every month once on Saturday (7 day of week). This event was started on April 21st 2012 (Day of Drupal). This event get good response from  Participants. We can check videos here http://www.youtube.com/user/techday7 . In that event my friend @bakiyanathan presented Drupal Security.

To join in this Techday7 community, go to this techday7.com @ this point it is free of cost to became techday7 member.

Drupal:- Drupal is PHP CMS,  open source and more powerful CMS. There are thousand of thousands web site run on Drupal now. This is a cool cms which is having Awesome plugins in net for free and few for cost. And also we have to remember one thing here it is having better security too then most of other CMSs.


Here are few important points (same thing you can see in PPT) :-
*) Drupal provides a database API with built-in SQL injection attack prevention. Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers.
*) HP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories. Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect. Prevention of “insecure direct object reference” attacks also helps here.
*) Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users. When object references are passed through the Form API, Drupal core protects the values from tampering by site users. Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing.
*) Drupal filters out scripting variations of this attack, leaving only simpler ones. The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state changing operations behind POST requests. The Form API also requires loading forms prior to submission, making CSRF attacks much harder.