Cracking Drupal

Cracking Drupal

 As a member of the security team I have seen a lot of code and what can go wrong with it. This talk aims to educate you about the OWASP top 10 and share some experience about web application security including about:

  • XSS, CSRF, Access Bypass, SQL injection, DOS explained
  • Secure configuration (web server, file permissions, etc.)
  • Tools and Modules to improve security on your site

I will show you a few common mistakes that Drupal Developers make when they write code and how they can be avoided

This session is relevant to all PHP web applications, but code examples are mostly from Drupal core 7.x and 8.x. The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.

Other Events this was Presented at: 

DrupalCon Dublin

Drupal Nights (Boston)


About the Speaker(s): 


  • Top 10 core contributor for Drupal 6 and 7. Top 25 Drupal 8 contributor.
  • Member of the Drupal Security team since 2008
  • speaker at multiple DrupalCons and other conferences and camps
  • organizer for monthly central NJ Drupal meetup
  • organizer for DrupalCamp NJ 2012 through 2019



Session Track term: 
Session Material: 
Experience level: 
Room Number: