This article contains the slides from a presentation I gave at Drupal Camp Dallas 2012.
The description from the camp website -
We’ll examine 10 “mini case studies” of security holes. These are based around examples of real problems found on clients sites while performing security audits. This will be in an “anti-patterns” style of discussing what not to do.
Each example will be discussed at the configuration or code level. We’ll walk through how the issue could be used to “hack” the site, and how to fix it.
All levels of Drupal knowledge are welcome, as this talk will cover a range of experience levels. The first 3 cases are beginner level, based around configuration and module based solutions. The next 4 are more intermediate, and the final 3 will move into full custom code examples which seems secure but have hidden vulnerabilities.