Skip directly to content

Peter Wolanin & Moshe Weitzman: Cracking Drupal

Wednesday, September 28, 2016 - 5:00pm to 6:00pm

DrupalCon Dublin

The Convention Centre Dublin
Spencer Dock, N Wall Quay, Dublin 1, Ireland

Event Type: 

Security is paramount, for almost any web application. We will take a look at security best practices to keep your site safe and take the perspective of an attacker to understand how they exploit things. We will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As members of the security team and code review administrators on we have seen a lot of code and what can go wrong with it. Sharing our experience about:

  • XSS, CSRF, Access Bypass, SQL injection, DOS explained
  • Secure configuration (web server, file permissions, etc.)
  • Tools and Modules to improve security on your site

This session is relevant to all PHP web applications, but code examples are mostly from Drupal core 7.x and 8.x. The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.

Peter Wolanin
Moshe Weitzman

Peter Wolanin: Expert Drupal software developer - one of the top contributors to Drupal 6, 7, and 8 and maintainer of several Drupal contributed modules.

Software engineer and software architect, who has built SaaS and PaaS products using AWS, web service integrations, and web applications. Focused on PHP and MySQL programming and application and platform security, especially Drupal, Drupal hosting, and integration with Apache Solr. Extensive use of ruby, bash, and other languages, utilization of the AWS API, and linux system administration including configuration management via Puppet.

Volunteer political organizer, reaching and turning out voters and conducting multiple facets of political campaigns.

Moshe Weitzman: A consistent contributor to Drupal core and Contrib since November 2001. As such, he has pretty much touched the whole core code. He maintains the user.module, the bootstrap code, and the web site. See Moshe's CV page here on