Security is not a one-time activity that is performed and completed. A mature operation promotes continuous improvement in an ever evolving landscape of threats and mitigation techniques. Where does this leave us in the Drupal community? This presentation focuses on the tools and techniques for promoting security in practice related to Drupal, both the infrastructure and the application. We will explore the different user personas and targeted attacks that can be exploited within typical Drupal applications. I’ll present some high level recommendations for mitigating these attacks, including multiple uses of two-factor authentication, development best practices, security conscious development workflows, continuous integration and DevOps practices, log analysis integration, community contribution, and alert and monitoring solutions. I’ll wrap up exploring future opportunities with emerging topics like secret managers, blockchain, and machine learning.