t's nearly 6 months since the release of Cracking Drupal, which makes for a nice milestone to talk about the book and mention a few related developments. Cracking Drupal was written by me (Greg Knaddison - or "greggles") with reviews and assistance from various members of the community with the well-known Károly Négyesi (chx) as the main technical editor.

The book's target audience is broad: site admins who know a little coding, developers who are deep in module development and selection, and front end developers (aka themers) who modify their template.php and tpl.php files.

The story behind the book

The underlying motivation for this book was to better educate the Drupal community about security best practices. I started working with the Drupal Security team in 2007, shortly before Drupalcon Barcelona. Then, like now, the team is composed of some of the best and brightest of the community, which means they are often quite busy: the team is frequently overwhelmed with work. Based on discussion at Drupalcon Barcelona, I decided to work on educating the community about security to hopefully reduce the number of vulnerabilities in core and contributed modules/themes. I began by revising, adding, and updating the handbook pages (secure configuration and writing secure code) and presenting at Drupalcamps and Drupalcons on the topic. Shortly after I began that work Wiley approached me with the idea of writing a book on the topic. So, I got down to work writing it and 9 short months later the book is published.

About the book

The book is split into three broad pieces. The first two chapters give a review of common security vulnerabilities so that readers have a solid understanding of what the problems are. Part 2 runs from chapter 3 through 8 and covers how to protect your site - first by configuring it safely and possibly adding modules and then through secure coding practices. One benefit of reviewing how to code securely is that readers will also learn how to code properly: Drupal's API is meant to provide developers security by default.

Part 3 takes the conceptual basis from the first two parts and puts it to the test. Chapter 9 shows the reader how to take advantage of a vulnerability they might find, this helps solidify knowledge of weaknesses and drives home the point that it is really easy to exploit most of these weaknesses. Chapter 10 goes step by step through fixing vulnerabilities in a module to make it safe.

The book has received multiple 5 star reviews on Amazon and great reviews from Aaron Winborn, Chris Shattuck, and Caleb Gilbert.

About the companion site: CrackingDrupal.com

As useful as it is to have a book on a topic, you can't beat the speed of real time publishing on the internet. So, I built CrackingDrupal.com as a place to provide some of the downloadable resources for the book (like free copies of the first chapter), to discuss security issues related to Drupal, and to provide more current information about Drupal security as new changes come up. For example, chapter 3 has a list of modules that can increase the security of a site which needs a little updating. So, Ben Jeavons has created an updated list of contributed modules to better secure your site.

For the curious, you can read about how Evelyn designed and built the speaking tabs on CrackingDrupal.com