DevStandards MCP Server

# OWASP Top 10 2021 Resources for PHP/Drupal Development This document contains comprehensive resources for implementing OWASP Top 10 2021 security standards in PHP and Drupal applications. ## Official OWASP Resources ### Main Documentation - **OWASP Top 10 2021**: https://owasp.org/Top10/ - **OWASP Top 10 Project Page**: https://owasp.org/www-project-top-ten/ - **OWASP Cheat Sheet Series**: https://cheatsheetseries.owasp.org/ ### Specific Vulnerability Pages 1. **A01 Broken Access Control**: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ 2. **A02 Cryptographic Failures**: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ 3. **A03 Injection**: https://owasp.org/Top10/A03_2021-Injection/ 4. **A04 Insecure Design**: https://owasp.org/Top10/A04_2021-Insecure_Design/ 5. **A05 Security Misconfiguration**: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ 6. **A06 Vulnerable and Outdated Components**: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ 7. **A07 Identification and Authentication Failures**: https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ 8. **A08 Software and Data Integrity Failures**: https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ 9. **A09 Security Logging and Monitoring Failures**: https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ 10. **A10 Server-Side Request Forgery**: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery/ ## PHP-Specific Resources ### Configuration and Security - **PHP Configuration Cheat Sheet**: https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html - **PHP Object Injection**: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection - **PHP and OWASP Top Ten**: http://www.sklar.com/page/article/owasp-top-ten ### Injection Prevention - **SQL Injection Prevention**: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html - **Injection Prevention Cheat Sheet**: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html - **Code Injection**: https://owasp.org/www-community/attacks/Code_Injection - **SQL Injection**: https://owasp.org/www-community/attacks/SQL_Injection ## Drupal-Specific Resources ### Official Drupal Security - **Drupal Security Team**: https://www.drupal.org/security - **Writing Secure Code**: https://www.drupal.org/docs/security-in-drupal - **SQL Injection Prevention**: https://www.drupal.org/docs/security/sql-injection - **Cross-Site Scripting Prevention**: https://www.drupal.org/docs/security/cross-site-scripting - **Access Control**: https://www.drupal.org/docs/security/access-control ### Drupal API Security - **Sanitization Functions**: https://www.drupal.org/docs/drupal-apis/sanitization-functions - **Form API**: https://www.drupal.org/docs/drupal-apis/form-api - **Routing System**: https://www.drupal.org/docs/drupal-apis/routing-system - **Entity Access API**: https://www.drupal.org/docs/drupal-apis/entity-api/access-control ### Drupal Security Modules - **Security Review**: https://www.drupal.org/project/security_review - Automated security testing - **Paranoia**: https://www.drupal.org/project/paranoia - Reduces risks from misconfiguration - **Security Kit (SecKit)**: https://www.drupal.org/project/seckit - Implements various security hardening - **Encrypt**: https://www.drupal.org/project/encrypt - Provides encryption API - **Key**: https://www.drupal.org/project/key - Manages keys for encryption - **Two-factor Authentication (TFA)**: https://www.drupal.org/project/tfa ## Training and Educational Resources ### Interactive Learning - **Security Journey - The Diligent Developer**: Resources for OWASP Top 10 training - **OWASP WebGoat**: Practice application for learning vulnerabilities - **OWASP Juice Shop**: Vulnerable application for security training ### Conference Talks and Transcripts - **Tag1 Consulting OWASP Series**: - A01 Broken Access Control: https://www.tag1consulting.com/transcript-owasp-2022-a01-intro-broken-access-control - A02 Cryptographic Failures: https://www.tag1consulting.com/transcript-owasp-2022-a02-cryptographic-failures ### Presentations - **Security in Drupal: What Can Go Wrong?**: https://slides.benjifisher.info/owasp10-drupal-2023-nerd.html - **MidCamp Security Session**: https://www.midcamp.org/2023/topic-proposal/security-drupal-what-can-go-wrong ## Implementation Examples ### Code Examples Repository - **OWASP Top 10 GitHub**: https://github.com/OWASP/Top10 - **Cybersecurity Notes**: https://github.com/3ls3if/Cybersecurity-Notes (includes OWASP examples) ## Testing Tools ### Drupal-Specific - **Drupal Security Checklist**: Pre-launch security review - **Drupalgeddon Checker**: Tests for specific vulnerabilities ### General PHP/Web - **OWASP ZAP**: Web application security scanner - **Burp Suite**: Web vulnerability scanner - **SQLMap**: SQL injection testing tool ## Best Practices Summary ### For Drupal Developers 1. Always use Drupal's APIs (Database, Form, Entity Access) 2. Keep Drupal core and modules updated 3. Use Composer for dependency management 4. Implement proper access controls on all routes 5. Sanitize all user input 6. Use Twig's auto-escaping features 7. Configure proper error handling for production 8. Implement security headers 9. Use HTTPS everywhere 10. Log security events ### PHP Configuration Hardening 1. Disable dangerous functions (eval, exec, system) 2. Set proper error reporting levels 3. Configure session security settings 4. Limit file upload sizes and types 5. Use proper file permissions 6. Enable security extensions (Suhosin/Snuffleupagus) ## Compliance and Standards ### Related Standards - **PCI DSS**: For payment card data - **GDPR**: For personal data protection - **ISO 27001**: Information security management ### Drupal-Specific Standards - **Drupal Coding Standards**: https://www.drupal.org/docs/develop/standards - **Drupal Security Coding Standards**: Part of overall coding standards ## Regular Review Checklist 1. [ ] Run Security Review module 2. [ ] Check for Drupal security updates 3. [ ] Audit user permissions and roles 4. [ ] Review custom code for vulnerabilities 5. [ ] Test input validation and sanitization 6. [ ] Verify HTTPS implementation 7. [ ] Check error handling configuration 8. [ ] Review logging and monitoring 9. [ ] Update dependencies (composer audit) 10. [ ] Perform penetration testing ## Additional Resources ### Books - "Cracking Drupal" by Greg Knaddison - "OWASP Testing Guide" - "OWASP Code Review Guide" ### Communities - Drupal Security Team - OWASP Slack/Discord channels - Drupal security-focused contrib modules This document should be regularly updated as new vulnerabilities are discovered and new defensive techniques are developed.