It's nearly 6 months since the release of Cracking Drupal, which makes for a nice milestone to talk about the book and mention a few related developments. Cracking Drupal was written by me (Greg Knaddison - or "greggles") with reviews and assistance from various members of the community with the well-known Károly Négyesi (chx) as the main technical editor.
The book's target audience is broad: site admins who know a little coding, developers who are deep in module development and selection, and front end developers (aka themers) who modify their template.php and tpl.php files.
The story behind the book
The underlying motivation for this book was to better educate the Drupal community about security best practices. I started working with the Drupal Security team in 2007, shortly before Drupalcon Barcelona. Then, like now, the team is composed of some of the best and brightest of the community, which means they are often quite busy: the team is frequently overwhelmed with work. Based on discussion at Drupalcon Barcelona, I decided to work on educating the community about security to hopefully reduce the number of vulnerabilities in core and contributed modules/themes. I began by revising, adding, and updating the handbook pages (secure configuration and writing secure code) and presenting at Drupalcamps and Drupalcons on the topic. Shortly after I began that work Wiley approached me with the idea of writing a book on the topic. So, I got down to work writing it and 9 short months later the book is published.
About the book
The book is split into three broad pieces. The first two chapters give a review of common security vulnerabilities so that readers have a solid understanding of what the problems are. Part 2 runs from chapter 3 through 8 and covers how to protect your site - first by configuring it safely and possibly adding modules and then through secure coding practices. One benefit of reviewing how to code securely is that readers will also learn how to code properly: Drupal's API is meant to provide developers security by default.
Part 3 takes the conceptual basis from the first two parts and puts it to the test. Chapter 9 shows the reader how to take advantage of a vulnerability they might find, this helps solidify knowledge of weaknesses and drives home the point that it is really easy to exploit most of these weaknesses. Chapter 10 goes step by step through fixing vulnerabilities in a module to make it safe.
About the companion site: CrackingDrupal.com
As useful as it is to have a book on a topic, you can't beat the speed of real time publishing on the internet. So, I built CrackingDrupal.com as a place to provide some of the downloadable resources for the book (like free copies of the first chapter), to discuss security issues related to Drupal, and to provide more current information about Drupal security as new changes come up. For example, chapter 3 has a list of modules that can increase the security of a site which needs a little updating. So, Ben Jeavons has created an updated list of contributed modules to better secure your site.
For the curious, you can read about how Evelyn designed and built the speaking tabs on CrackingDrupal.com
Upcoming Presentations about Security
Of course, writing the book doesn't mean that my work spreading the word about security is over.
- This Thursday I'll be working with the folks at Acquia to give a free webinar on Drupal security - registration is required.
- In October Ben will be giving a security presentation at the Bay Area Drupal Camp - Drupal Security for Site Administrators and Beginners
- In December I'll be speaking at Do it with Drupal as part of the "Back End" track.
Drupal Security Review Service
I've mentioned Ben Jeavons a few times - Ben is member of the Drupal security team and a new member of the Growing Venture Solutions team. He is also the leader of our Security review for Drupal sites service which we are in the process of launching. The market of Drupal service providers is getting increasingly focused: companies are providing services in a specific area which allows them to provide better work and easily combine the needs and funding from multiple vendors to create specific tools that benefit the community. One great example of this kind of specialization and community benefit are the Migrate and Table Wizard modules from Cyrve or the performance specific tools from Four Kitchens, Tag1 and Chapter three. We hope that by providing some specific security services we will be able to improve the infrastructure of the Security Team, improve the resources available to site owners, and work on hardening Drupal 7.
You want the book?
Ok, enough already - get the book from - Amazon.com (with Drupal Association affiliate link) .