My Review of "Cracking Drupal" by Greg Knaddison

Posted Jan 7, 2010 // 3 comments

Snynposis

Cracking Drupal's goal is to help Drupal maintainers and module developers recognize, diagnose, and ultimately prevent security issues from the perspective of code.  It gives a good overview of how to think about security when building and/or analyzing custom, contributed or core modules.  With included code examples and some real world cases, the book presents a good foundation to build from.

Outstanding Info

To start off, I'm really glad to see a book like this for Drupal. It can change how any developer looks at his/her own work. So often developers are more focused on looking out from the inside. Cracking Drupal warns us to take heed of our attack surface, find where we are most vulnerable, and add that knowledge into our basic fundamentals of building a site or module.

For me personally, I'm going through my solution progression a little differently now, trying to keep in mind the tips from the book, including

• Try to make use of Drupal's built in APIs whenever possible.
• Think about the context of any text being entered and how will it be used.
• Protect callbacks with permissions.

The clear breakdown of handling strings safely was a huge help for me.  I've always known about the different methods but was unclear when to use what.  A diagram would of been awesome here, luckily the internet came to my rescue.  Attached is a diagram that has been very useful to me.  All I had was a printed copy so I reproduced it.  Now, I'm not the original author of this, so if you know where it came from, please comment with the original URL so I can give them the credit.

Areas of improvement

The only thing that I didn't like was the 59 pages of Appendix B, Installing and Using Drupal 6 Fresh out of the Box, thats almost 25% of the book that I didn't need. I would of been fine with an URL and five dollars off.

What made me think

Chapter 9, Finding, Exploiting, and Avoiding Vulnerabilities, was really thought provoking.  I found it interesting to be shown methods of cracking a site, and then think how to use that knowledge to prevent your site from being tagged as vulnerable.  The whole book is causing me to pay more attention to how I write code.  As I read, I was furiously trying to remember if things I had done in the past could be exploited in this way.  The cross site scripting (XSS) attacks can be really nasty.  Especially the ones having to do with uploaded js files, then including those files via a unprotected node title field.  It really opened my eyes.

Yay or Nay?

Before this book, I wasn't sure where to look for vulnerabilities, nor how to look for them. So often in the building of apps, developers are forced to put on the blinders and brute force a solution for whatever reason. It's not ideal, but it's the reality. And the knowledge in Cracking Drupal can make you more aware of pitfalls contributing to vulnerabilities on your site. While this book may cover attack strategies that are nothing new to the Drupal security team, it's perfect for someone that needs a guided first step. I definitely recommend this book to any Drupal developer that is unfamiliar with website security and wants to learn more. (YAY!)

Still not convinced?

Check out the Acquia webinar, Cracking Drupal: Proven Strategies for Uncovering Security Threats and Protecting Your Site, it's where I first learned about the book. I ended up buying the book before the end of the webinar was over. ;)

Some Links to share

• More book info, http://crackingdrupal.com/
• Drupal's Writing Secure Code page
• Handling Strings Safely Diagram
• Would love to read this sometime: Applied Cryptography
• True Crime books about computer security
  • The Cuckoo's Egg
  • Masters of Deception: The Gang That Ruled Cyberspace
  • The Fugitive Game: Online with Kevin Mitnick