[documentation] security pages in handbook

Greg Knaddison greg at pingvox.com
Sun Oct 14 14:47:26 UTC 2007 

Hello Folks,

I'm writing to get some feedback about the current security pages in
the handbook and ideas for how to improve them.  James Walker and I
have a two phase plan for "security education": step 1 is to make
these documents even easier to read and "better".  Step 2 will be
raising awareness about them and teaching based on these documents.  I
want to talk about step 1 here.

++Audience:
So far we've identified 3 groups of people we want to target with these pages:

1) Drupal "site admins" who need to know how to configure their sites,
how to get notifications about security updates, and what to do if
they think they have been a victim of a security attack.

2) Drupal coders - people who write modules and need to know how to do
this safely.

3) Evaluators / Managers who are less technical and need justification
that yes, Drupal cares about this and yes, they should too in
prioritizing their budgets and project plans.

++Current hierarchy:
1) http://drupal.org/security-team which contains information about
the team and the processes/procedures for security stuff within the
Drupal project
2) http://drupal.org/writing-secure-code  about "writing secure code"
within php/Drupal
  2.a.) breakdown of specific tasks and how to do them safely

++Proposed hierarchy:
1) Security team, including our processes - http://drupal.org/node/32750
2) Coding - http://drupal.org/writing-secure-code
  2.a.) breakdown of specific topics by "what you want to do" (current system)
  2.b.) cross-reference of 2.a. broken down by attack vectors (e.g.
XSS) and how to prevent them
3) Drupal Configuration Weaknesses (e.g. filters, permissions, etc)
4) Web Server Configuration Weaknesses (e.g. allowing the apache user
to write to all files)
5) Useful security related contrib modules (remember me, paranoia,
login_security, openid)

In discussing this with the security team there was some debate about
whether the pages under 2 should be organized by "what you want to do"
or "attack vectors and how to prevent them".  I'd love some of your
feedback specifically on that topic.

I'd also love feedback on this sections and these pages in general.

Thanks very much,
Greg

-- 
Greg Knaddison
Denver, CO | http://knaddison.com
World Spanish Tour | http://wanderlusting.org/user/greg

More information about the documentation mailing list