[documentation] security pages in handbook
Laura Scott
laura at pingv.com
Sun Oct 14 15:48:06 UTC 2007
Greg, I think this is a great idea. I have a concern that this
hierarchy might miss some important user experiences when the
audience/users you identify go to the security area of the
documentation.
> ++Proposed hierarchy:
> 1) Security team, including our processes - http://drupal.org/node/
> 32750
> 2) Coding - http://drupal.org/writing-secure-code
> 2.a.) breakdown of specific topics by "what you want to
> do" (current system)
> 2.b.) cross-reference of 2.a. broken down by attack vectors (e.g.
> XSS) and how to prevent them
> 3) Drupal Configuration Weaknesses (e.g. filters, permissions, etc)
> 4) Web Server Configuration Weaknesses (e.g. allowing the apache user
> to write to all files)
> 5) Useful security related contrib modules (remember me, paranoia,
> login_security, openid)
What if we focus on what the user might be asking in going to these
pages? We could focus on the fundamentals from the perspective of the
question asker. In that sense, perhaps a structure might be:
0. Drupal Security Update releases. (This should be the first and
last thing on the main page, imho. Maybe a direct link to the email
subscription page, too.)
1. Why pay attention to security?
(I suggest this because many admins and evaluators are unaware that
security updates are important to pay attention to and deploy. They
come looking for free software and maybe heard great things about
Drupal. Even many coders out there also seem to be rather ignorant of
security issues. Witness how many [insecurely] hacked versions of
core are being brought to consultants for repairs etc. It may seem
obvious to us that security is essential, but the ignorance out there
re even the importance of the subject is appalling.)
2. Secure site administration: Making your Drupal site secure.
(Starting at the site admin level, most basic: Secure Drupal
configuration settings, basics on filters, permissions, etc.)
3. Secure systems administration: Configure your server with security
in mind. (e.g., apache permissions, etc.)
4. Secure Drupal development: Writing secure code. (An entire section
for developers. Include all appropriate sub-topics.)
[Then moving on to resources, but keeping the items top-level so they
are visible and easy to find and get to....]
5. Helpful modules. (paranoia, openid, update status, etc.)
6. Drupal Security Update releases. (A reminder that this is where
the latest security updates can be found. Maybe a direct link to the
email subscription page, too.)
7. The Drupal Security Team (who, what, how, etc.)
I don't mean to diminish the importance of the fabulous people
working on this by putting this last, but from an end user standpoint
the "who" is the last question when it comes to security. It's the
reassurance at the end, that excellent, capable people are "on the
job" regarding security (and maybe an invitation for security-savvy
community members who might want to offer their expertise?).
??? Do we also want a section like "What to do if your site has been
hacked"? This could be some hints and resources on diagnosing what
has happened, because if you already have a problem, you can't solve
it until you've figured out what happened, right? This could be a way
of generating case studies that illustrate why all these best
practices are so important.
Is this helpful?
Laura
More information about the documentation
mailing list