A review of Cracking Drupal: A Drop in the Bucket

published by Drupal Caulfield on Sun, 01/24/2010 - 17:00

Cracking Drupal: A Drop in the Bucket is the first book specifically discussing vulnerabilities in the Drupal Content Management System. However, is it all it's 'cracked up' to be? 

Well, you will have to decide for yourself. I would recommend this book for Drupal administrators, because it is available for a good price on Amazon and will get you thinking about security in Drupal, but if you are a seasoned Drupal veteran you may want to give this a pass. That said I do have some issues with the book. First, let's take a look at the description:

Uncover threats and protect your Drupal® site with proven strategies

What is the worst-case scenario if your Web site gets attacked and the security is broken? By following the strategies in this guide, you don't have to find out. It first walks you through the vulnerabilities you'll face and the steps you should take to protect a basic Drupal site. You'll then discover how to review a module to find weaknesses and fix them. And you'll learn how to keep your site running securely by implementing more advanced techniques.

Take control of your site by learning how to:

  • Prevent the common ways that Drupal gets cracked

  • Uncover parts of the attack surface that can expose your site

  • Install extra modules and configure Drupal to maintain your site's security

  • Control the security of your site using Drupal's API

  • Utilize the Drupal Access system to limit who can see specific content

  • Test your site with automated scanners like Grendel

  • Follow strategies to find, exploit, and avoid vulnerabilities

  • Leverage resources from the Drupal Security Team

 Now, all that sounds dandy, but the problem here is that if you are a hardcore developer and are used to picking up a book on exploits, say The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System then one expects to be getting really technical. In this, Cracking Drupal is really designed more for the administrator who needs to know more about secure Drupal practices. At times, the book feels more like the book is trying to introduce the user to Drupal. So, it is actually a good complement to Pro Drupal Development for getting your feet wet if you have been developing on another platform and want a basic introduction to Drupal development. Is this really the book's main audience though, non-technical Drupal users? I still have my doubts, because the non-technical Drupal user would seem unlikely to pick up a book on coding. 

 My other peeve with this book is all the jumping around. There are constant mentions of look at this previous chapter or this will be explained more in a later chapter. Just explain it, don't tell me about how you are going to explain it! The worst of this is when the author is writing about the t() function. I was hoping for a discussion on the replacement operators !, @, etc. but it wasn't there. Lo and behold, sometime later when I am reading through the next chapter, a discussion of these operators has appeared. However, at that point I was no longer thinking about them. 

In the end, the book is a win more due to the fact that it will get you thinking of how to secure your Drupal site. Hopefully, future versions will get some better editing and added content that is more focused on the advanced user. That said, I'm very grateful for what the authors do on the security team, and I hope you will pick up their book: Cracking Drupal: A Drop in the Bucket