Drew Gorton

Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.

We will cover:

• Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
• Familiarity with your hosting platform’s security-related practices. 
• Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
• Understanding how security concerns are handled for core and contrib.
• Clarifying support responsibilities and procedures so that security fixes are applied quickly.

Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.

Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series. An early version of this talk was also given at MidCamp 2016.