Florian<br><br>I am copying the security team as well in case someone there is interested in getting in touch with you.<br><br>This page <a href="http://drupal.org/security-team">http://drupal.org/security-team</a> and the pages under it (linked at the bottom) will also provide you with some more information about the security process within Drupal.<br>
<br>And on this page you will find the security advisories, broken into core/contrib/public service announcements<br><br><a href="http://drupal.org/security">http://drupal.org/security</a><br><br><div class="gmail_quote">
On Tue, Mar 31, 2009 at 8:53 AM, <br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello drupal developers,<br>
<br>
I'm in the process of writing my diploma thesis on the prevention of<br>
web application security vulnerabilities and I'd like to know a bit<br>
about your fine project from the developer's view. It would be great<br>
if you could take a couple of minutes and think about the questions<br>
below.<br>
<br>
The questions are mostly open-ended. Not all may apply to all<br>
developers, but I've chosen to not only address project leads.<br>
Elaborate and skip questions at will.<br>
<br>
Thank you very much in advance. I will provide you with the<br>
results of my thesis when it's done it you want. There will probably<br>
be some findings about what can be done to prevent security<br>
vulnerabilities, in particular XSS and SQL injections in open source<br>
web applications.<br>
<br>
Florian<br>
<br>
The questions:<br>
<br>
About technical aspects:<br>
- Are you using a web application framework? Which one?<br>
- Do you use explicit data modeling for all business objects in the<br>
application?<br>
- Do you have a specific layers for input/output validation/filtering?<br>
(If applicable) What does the input/output layer do (respectively)?<br>
How? Are you using external libraries? Why? Why not? (for HTML<br>
sanitation. object-relational mappers, database abstractions with<br>
prepared statements)?<br>
- (If applicable) What responsibilities do the input/output layers<br>
have, respectively?<br>
- How do you ensure that all input passed through validation/<br>
filtering? Do you have an API that must be used?<br>
- Do you provide services to independently developed modules/<br>
components? Is there a defined API?<br>
- Which other external libraries do you use?<br>
<br>
About the development process:<br>
- Is there public documentation about the responsibilities of the<br>
input/output layers?<br>
- Is there public documentation about *when* input/output validation/<br>
filtering should happen? (Like: "output filtering must always happen<br>
in the method that renders the data")<br>
- Do you have automatic tests for the whole system?<br>
<br>
Bonus question:<br>
- Do you do manual code review?<br>
</blockquote></div><br><br clear="all"><br>-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com">2bits.com</a>, Inc.<br><a href="http://2bits.com">http://2bits.com</a><br>Drupal optimization, development, customization and consulting.<br>
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>