Cracking Drupal: A Drop in the Bucket
by Greg Knaddison
List Price:
Our Price: $14.99
You Save: $25.01 (63%)
Availability: Usually ships in 1-2 business days
Buy Used: from $7.90 (click here)
Category: Book
See more book details and other editions
Book Summary Information
Author: Greg KnaddisonEdition: Paperback
Audio: English (Unknown); English (Original Language); English (Published)
Published: 2009-05-11
ISBN: 0470429038
Number of pages: 240
Publisher: Wiley
Book Reviews of Cracking Drupal: A Drop in the Bucket
Book Review: Site Hacked? Read Cracking Drupal!
Summary: 5 Stars
Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.
I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.
I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.
Let's look in more detail at the book.
Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.
The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.
Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.
Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.
We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.
Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.
The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.
Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.
Now for your Homework...
Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.
The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.
If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.
Summary of Cracking Drupal: A Drop in the Bucket
The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.Privacy Books
Book Subjects
- Arts & Photography
- Biographies & Memoirs
- Business & Investing
- Children's Books
- Comics & Graphic Novels
- Computers & Internet
- Cooking, Food & Wine
- Entertainment
- Gay & Lesbian
- Health, Mind & Body
- History
- Home & Garden
- Horror
- Law
- Literature & Fiction
- Mystery & Thrillers
- Nonfiction
- Outdoors & Nature
- Parenting & Families
- Professional & Technical
- Reference
- Religion & Spirituality
- Romance
- Science
- Science Fiction & Fantasy
- Sports
- Teens
- Travel
Most talked about in Privacy Books
Cryptography Decryptedby H. X. Mel, Doris M. Baker
Addison-Wesley Professional; Published: 2000-12-31; Paperback; Book
Best price: $30.00
Price in other shops:
The Law of Copyright and the Internet: The 1996 WIPO Treaties, Their Interpretation and Implementationby Mihï¿1/2ly Ficsor
Oxford University Press, USA; Published: 2002-05-16; Hardcover; Book
Best price: $157.09
Price in other shops:
Network Security for Government and Corporate Executivesby Rand Morimoto, Chris Amaris, Andrew Abbate, Mark Weinhardt
Prentice Hall; Published: 2006-10-01; Paperback; Book
Best price: $70.00
Price in other shops:
Myspace: Safe Online Networking for Your Kidsby Larry Magid, Anne Collier
Prentice Hall; Published: 2006-12-07; Paperback; Book
Using Set for Secure Electronic Commerce with CDROMby Grady Drew
Prentice Hall PTR; Published: 1998-11-30; Paperback; Book
Best price: $3.80
Price in other shops:
Network Security: Private Communication in a Public World (2nd Edition)by Charlie Kaufman, Radia Perlman, Mike Speciner
Prentice Hall; Published: 2002-05-02; Hardcover; Book
Best price: $54.99
Price in other shops:
Windows Internet Security: Protecting Your Critical Databy Seth Fogie, Cyrus Peikari
Prentice Hall; Published: 2001-10-07; Paperback; Book
Best price: $6.99
Price in other shops:
Administrating Web Servers, Security, & Maintenance Interactive Workbookby Eric Larson, Brian Stephens
Prentice Hall; Published: 2000-01-09; Paperback; Book
Best price: $12.99
Price in other shops:
Keeping Found Things Found: The Study and Practice of Personal Information Management (Interactive Technologies)by William Jones
Morgan Kaufmann; Published: 2007-11-15; Paperback; Book
Best price: $34.00
Price in other shops:
Upgrade Your Life: The Lifehacker Guide to Working Smarter, Faster, Betterby Gina Trapani
Wiley; Published: 2008-03-17; Paperback; Book
Best price: $5.99
Price in other shops:
Similar Books and other products
Foundation Drupal 7by R.J. Townsend
friendsofED; Published: 2010-12-15; Paperback; Book
Best price: $19.98
Price in other shops:
Leveraging Drupal: Getting Your Site Done Right (Wrox Programmer to Programmer)by Victor Kane
Wrox; Published: 2009-02-03; Paperback; Book
Best price: $7.98
Price in other shops:
Beginning Drupal 7 (Expert's Voice in Open Source)by Todd Tomlinson
Apress; Published: 2010-06-07; Paperback; Book
Best price: $19.64
Price in other shops:
Pro Drupal Development, Second Editionby John K. VanDyk
Apress; Apress; Published: 2008-08-21; Paperback; Book
Best price: $24.37
Price in other shops:
Front End Drupal: Designing, Theming, Scriptingby Konstantin Kafer, Emma Hogbin
Prentice Hall; Published: 2009-04-15; Paperback; Book
Best price: $15.56
Price in other shops:
Drupal 7 Module Developmentby Matt Butcher, Larry Garfield, John Albin Wilkins, Matt Farina, Ken Rickard, Greg Dunlap
Packt Publishing; Published: 2010-12-03; Paperback; Book
Best price: $38.22
Price in other shops:
Pro Drupal 7 Developmentby Todd Tomlinson, John VanDyk
Apress; Published: 2010-12-29; Paperback; Book
Best price: $30.42
Price in other shops:
Drupal's Building Blocks: Quickly Building Web Sites with CCK, Views, and Panelsby Earl Miles, Lynette Miles
Addison-Wesley Professional; Published: 2011-01-01; Paperback; Book
Best price: $25.95
Price in other shops:
Using Drupalby Angela Byron, Addison Berry, Nathan Haug, Jeff Eaton, James Walker, Jeff Robbins
O'Reilly Media; Published: 2008-12-23; Paperback; Book
Best price: $13.99
Price in other shops:
The Definitive Guide to Drupal 7 (Definitive Guide Apress)by Benjamin Melancon, Jacine Luisi, Karoly Negyesi, Bojhan Somers, Stephane Corlosquet, Stefan Freudenberg, Ryan Szrama, Dan Hakimzadeh, Amye Scavarda, Allie Micka, Roy Scholten, Kasey Dolin, Sam Boyer, Mike Gifford
Apress; Published: 2011-07-19; Paperback; Book
Best price: $24.26
Price in other shops: