Event Type: 
Waltham, MA

This course offers a basic introduction to security when developing modules, themes and site building within Drupal. Students will learn common web application vulnerabilities and exploits, as well as the common ways to guard against them when working with Drupal. Topics will range from basic site configuration of permissions to introductions to SQL injection and other more advanced attacks. Students also will have the opportunity to understand how hackers work by participating in hands-on exercises exploiting and recovering Drupal sites. At the end of the course, students should have a good understanding of basic security risks and how to protect their sites, and be ready to dive deeper into the more complex aspects of web application security if they desire.


This course is written for intermediate to advanced Drupal developers with little to no security experience. Students should be proficient with PHP, JavaScript, MySQL and developing using all of these languages within the Drupal CMS. Students should be comfortable setting up a local Apache environment for Drupal development as well as working with Drush. It is expected to have a working Apache, PHP and MySQL install on the student’s machine when they arrive for the class.

Course Learning Objectives: 
  • Discuss common web application vulnerabilities and how they apply to Drupal
  • Demonstrate proper Drupal coding practices for security including writing secure queries, preventing any user injection of JavaScript and understanding proper usage of access control within code.
  • Understand proper configuration of Drupal for security including input filters, permissions, password obfuscation and other hardening measures.
  • Discuss best security practices and options when working with Acquia Cloud.
  • Have a basic understanding of how to recover a Drupal site from an attack, using the Security Review module, code scans and manual vulnerability testing.
  • Have an introductory-level experience of how SQL injection, XSS and other exploits are used, and how to write these exploits to know how attackers work and how to prevent it.
  • Have a general understanding of SSL.
  • Be prepared for further learning and deeper dives specific vulnerabilities and more advanced security topics.
Additional Information: 

The training sessions will be held between 10AM to 5PM. If possible, try and arrive between 9:30 and 9:45, so that we can get any technical issues solved and start the session promptly. If you have any questions about the course you may contact the trainer, bfisher@isovera.com.