Cracking Drupal: A Drop in the Bucket |  | Author: Greg Knaddison
Publisher: Wiley
Category: Book
List Price: $40.00
Buy New: $10.29
as of 7/31/2010 06:56 CDT details
You Save: $29.71 (74%)
New (32) Used (20) from $10.10
Seller: feelgoodreaders
Rating:  11 reviews
Media: Paperback
Pages: 240
Number Of Items: 1
Shipping Weight (lbs): 0.8
Dimensions (in): 9.2 x 7.3 x 0.6
ISBN: 0470429038
Dewey Decimal Number: 006.76
EAN: 9780470429037
Availability: Usually ships in 1-2 business days
| |
| Features:
| • | ISBN13: 9780470429037 | | • | Condition: New | | • | Notes: BUY WITH CONFIDENCE, Over one million books sold! 98% Positive feedback. Compare our books, prices and service to the competition. 100% Satisfaction Guaranteed |
|
| Similar Items:
| |
| Editorial Reviews:
Product Description
The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.
|
| Customer Reviews:
Showing reviews 1-5 of 11
 Site Hacked? Read Cracking Drupal! July 27, 2009
Aaron Winborn (Harrisburg, PA USA)
12 out of 12 found this review helpful
Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.
I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.
I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.
Let's look in more detail at the book.
Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.
The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.
Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.
Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.
We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.
Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.
The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.
Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.
Now for your Homework...
Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.
The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.
If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.
More than meets the eye! May 3, 2009
Doug Vann (Indianapolis)
10 out of 11 found this review helpful
Whoa!
This book does not seek to alarm you as much as it seeks to inform you.
The problem is not that Drupal is not secure. What Gregg shows is that its up to the admin to make sure that all of the security features are used properly to ensure a secure site. By showing what hackers might do the reader is informed on how to make sure that those attacks would not cause damage to their sites.
In a word, this book is PRACTICAL. And for a second word I would add ESSENTIAL.
This book is causing a lot of conversation in the Drupal community. We're all glad that it has become an easy to read, one-stop-shop to get the facts on security.
Don' take your site live without this book May 11, 2009
Cary Gordon (Los Angeles, CA USA)
6 out of 7 found this review helpful
In this wonderfully concise and well written book, Greg Knaddison has managed to cover both the theory and practice of securing your Drupal site as well as your users against the myriad dangers of the internet. As professional Drupal site developers, we pay close attention to security. It is great that we can now have so many userful resources together in one place.
Concise and illuminating December 29, 2009
John De Mott (San Antonio, TX United States)
2 out of 2 found this review helpful
Within 24 hours of reading this book I found and patched a XSS attack on my site at work. It's well written, to the point, and informative. The author goes above and beyond explaining Drupal exploits and shows you how to track them down in the wild using the Drupal CVS repository. Most helpful is knowing how to properly use Drupal's built in security measures that take much of the weight of developing secure code off your shoulders.
Enjoyable to read. Good for both experienced and beginners August 3, 2009
Mark Crandell
3 out of 4 found this review helpful
I've been working with Drupal for 5 years now and have read several books about Drupal. By far this is the most enjoyable to read. It isn't dry but rather easy to read and I've learned quite a bit about security issues.
Only problems are the author talks about some Vulnerable module several time in the the book and so far (haven't finished the book yet) there are no code samples from that module. Example on page 60: "The Vulnerable module contains an example of this problem" . However the author doesn't go into any details on what the example is. I would like to see some code snippets on the Vulnerable module. I have yet to download and look at the module, but I wish it wasn't a requirement. The book is not very long so it could use some more pages of code.
Also other strangeness I noticed the author keeps switching between "he" and "she" throughout the book. Not sure why.
Showing reviews 1-5 of 11
|
|
|
|
