Book review: "Cracking Drupal: A Drop in the Bucket"

I finished reading “Cracking Drupal: A Drop in the Bucket” recently, which Alfred at the River Valley Tech Collective gave to me as a gift when I mentioned it looked interesting (thanks!).

The book is by Greg James Knaddison, or greggles. He's a well known member of the Drupal security team and, it turns out, a good writer when it comes to Drupal.

I would recommend this book for people who have dealt with some custom PHP code in Drupal and who don't know the ins and outs of (for example) functions like check_plain(), session_save_session() and the Drupal node access system.

The book has a lot going for it. It's compact (134 pages not counting appendixes), which is nice if your don't have a ton of time. More importantly, it puts Drupal security in perspective very well. For example, a choice quote is:

“A recent analysis of a high-profile Drupal site by a well-regarded security firm found roughly 120 security issues: One was a weakness in Drupal core when combined with certain contributed modules, a handful were in other contributed or custom modules, and then all of the rest were in the custom theme that was created for the site.”

With that knowledge you can focus more attention on making things easier and safer for your themers by checking input before passing it off to them in template files.

Knaddison also makes a good case for keeping your core install and modules up to date, as well as your entire web server stack (tons of websites, and computers for that matter, are attacked using security holes that were discovered and fixed months earlier). He gives a good introduction to subjects like the node access system and automated vulnerability testing.

For security flaws, the book focuses on the most common ones: XSS, access bypass, CSRF and SQL injection. It uses real modules as examples, as well as the author's vulnerability module. I thought Knaddison did a fine job covering some specific issues, but I was expecting some more complex issues and real world flaws to be discussed as well. I was familiar with many of the problems he discussed, but also picked up some good tips. So in the end it was a good experience.

The price of the book ($40, but $26.40 at Amazon which isn't bad) is a little steep even for a computer book considering how short it is. The appendixes, glossary and index bring the page count to 219. But I felt the section on installing Drupal 6 was out of place and too long. The function reference was useful, but missed a few functions described by the book.

All in all, the book might not be for the most hardcore of us Drupalers, but I think it has some useful tips for most of us.