Security review service for Drupal sites

The security of your website and application is something to take seriously. As members of the Drupal Security Team and having written the only book on Drupal security we at Growing Venture Solutions take security very seriously. GVS also co-authored the first comprehensive white paper on Drupal security. We offer specific services for site and application security review as an integrated unit or as individual pieces. We believe that security is a process, not a project, and that site owners must be equipped with knowledge, support, and training in addition to periodic expert reviews.

Standard reports

All of our services culminate in a written report which we deliver to you and use as a way to frame a final oral report with developers and project stakeholders. We combine the results of the interviews and code/configuration research into a gap-analysis compared to relevant industry best practices. This is then prioritized based on the unique needs/services of your site to give a set of recommendations in order of importance.

1. Drupal core and contributed module configuration analysis

Certain configurations can open a vector for attack on your site. Visitors to your site should be able to interact under the conditions you have set, and no more. We start by asking some background questions about your site and review its configuration to identify potential weak points. We utilize a mix of automated and manual reviews to efficiently analyze any size of site.

2. Targeted code analysis

Where are the majority of the weaknesses in your site? The answer may surprise you – for most sites it is in custom modules and custom theme template files. After our combined years of involvement in the Drupal security team, we are familiar with the most common pitfalls that trap Drupal developers. We've built a set of static analysis tools to review Drupal-specific PHP code to find vulnerabilities. We apply these tools and in-depth visual review of the code to identify weaknesses and gain a sense for the size and scope of the problems with your site.

If the problems we find are in core or contributed modules we will work with fellow members of the Drupal Security Team to get the issues fixed and released to the public. For vulnerabilities identified in custom development we will provide recommendations, solutions for fixing the problems, or training for your team.

3. Training and certification in Secure Drupal Development

An integral part of any site review is to communicate to the client how to avoid problems in the future. Our training is designed to give you the tools you need to protect yourself. For your developers, we will review best practices with the Drupal API so that they can analyze core, contributed modules, and their own code to eliminate vulnerabilities before they are added to your site.

We certify each student's completion of the training. The training includes an exercise where we evaluate the ability of the student to identify weaknesses in the code and configuration of a sample Drupal site. To put it in geek speak, this training won't teach you how to use hook_form_alter, but if you already know it we will teach you to use it safely.

4. Development and production process review

Do your processes consider sensitivity of communications and data? In a one-day on-site series of interviews with e-mail followup we examine the processes related to development and maintenance of your Drupal site to identify potential areas of weakness.

5. Web server and network level analysis

Drupal is just one piece of the software stack – vulnerabilities can exist at the server and network levels as well. If your site is hosted in a professional hosting environment your host likely has a security review system, but for those running their own servers we work with an extremely skilled local partner to provide this level of review.

Free security review module

The Security Review module provides a free analysis of some of the most common misconfigurations on sites. It is built to provide a simple overview while giving documentation and links to further resources allowing you to drill down to deeper levels of information if you happen to be vulnerable to one of the problems.

Drupal security report

In April 2010, GVS completed an intensive effort by co-authoring the essential white paper on Drupal Security with assistance from several sponsors and reviewers. This report has set the tone for high-level discussion of Drupal security practices.