DrupalCon Amsterdam 2019: OWASP Top 10: What are them and how to prevent them

Ayesh Karunaratne
AKCS, Maradankadawala, Sri Lanka

OWASP is an online community of people who care about web application security (like you and I), and they provide several recommendations to prevent many sorts of online attacks.

This is a 40 minute session that we go through the most common (with OWASP statisitcs), and how we can prevent them. The focus is on PHP language, but the concepts are all the same. PHP 7, 7.1 and 7.2 were released with several feature that can help us with security tightening too, with PHP 7.4 just around the corner will have a few more tricks up its sleeve too!

We will also talk about which type of attacks are most common using historical data of CVEs.: https://st.ayesh.me/files/static/node/185/vulnerability-distrubution.png

CMSs such as Drupal and WordPress provide built-in features that helps us prevent some of these attacks, such as XSS and CSRF (don't worry if these abbreviations make sense, because we will explain them in the talk too!) protection with various approaches.

For each of the vulnerability type we talk about, we will take a look at these built-in protection mechanisms as well as how to implement them in PHP and in Drupal context.

Lastly, we will take a look at some of the recent vulnerabilities, what went wrong, and the rationale behind each of these fixes.

OWASP Top 10 is a vastly widespread topic to cover in a 45 minute session, so this talk will only go through the general ideas and the prevention approaches. It will not make you a security expert at the end of the session, but it will definitely make you aware of these possible vulnerabilities, and how to approach each of them no matter what framework or programming language you use.


This talk was presented in Essen, Germany or SecOSDay, and will be updated to cover recent statistics, threats, and trends.

Drupal is a registered trademark of Dries Buytaert.