Overview of security updates, how bugs are handled, and non-security updates.
There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you've downloaded from Drupal.org up to date.
Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.
- Understand how to assign roles and permissions in a secure way
- Configure text formats with security in mind
- Use core APIs to validate user input and perform other security best practices
The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case. Regarding security in Drupal 8, while there are many improvements related to security in this release, it's still quite possible to make your Drupal site insecure, so it remains important to understand security best practices and stay up-to-date with Drupal security updates.