Drupalcon Training: Securing your Drupal site with code and configuration

First things first, please take this survey about Security in Drupal.

Much like at last year's Drupalcon in San Francisco, Ben Jeavons and I will be giving a training about Drupal and Security. When we gave this course at Drupalcon San Francisco, 88% of survey respondents said they would take the class again! We took all the feedback from last time and are working to make the experience even better.

The course is a mix of presentation, demonstration, guided hands-on work, and self exploration. We end the day with an hour where folks explore a vulnerable site looking for weaknesses and then wrap it all up by discussing the weaknesses found, and all the ones we knew about in the site.

Topics covered:

  1. Insecure configurations
  2. Cross Site Scripting
  3. Cross Site Request Forgeries
  4. Access bypass, the menu system, and permissions
  5. SQL Injection and the database api

Perhaps the best quote from the 2010 training:

Ben's jQuery administrator logout/change password/site offline demo induced buttock-clenching panic.

Trainings at Drupalcon

This is one of the over 30 trainings that will be given on March 7th, the day before normal Drupalcon Chicago sessions kick off. It's a really amazing list of training providers and topics and we're excited to be among them.

If you aren't interested in security you should definitely consider signing up for some of the other courses. Even if you've already purchased your ticket to Drupalcon you can always add a training on the registration form.

Drupal security survey

To prepare for the training, for the presentation, and just to get a better sense of what people think about security in Drupal, we are hosting a survey to collect some organized feedback from folks. Please take 5 minutes and fill it in.