This chapter takes a horribly insecure module and makes it secure. As you have seen, the changes are not all that drastic or difficult. In most cases, it is easier and more reliable to write the code to be secure. The first level of security issues is generally easy to fix: XSS, SQL injection, CSRF, and accidental session changes can usually be identified and fixed in a matter of minutes or a few hours. You should now feel fully able to identify and fix these problems and, where appropriate, report them to the Drupal security team.
There are, of course, many more weaknesses that are harder to find. The issue of a denial of service from displaying all the nodes cannot be identified by a code scanner. Instead it takes knowledge of the site, the code, and a paranoid perspective to identify the potential problem. This paranoid perspective is a good one to maintain as you write, review, and implement features on your site.
Was this article helpful?