How cyber secure is LocalGov Drupal (LGD)?

A platform assessment to give councils the confidence they deserve when choosing LGD as their website solution.

Jamie Garrett
Managing Director, Invuse

20 April 2023
7 min read

Keeping the bad guys out

Cyber security is all about keeping bad guys out and protecting important information. Think of it like putting a lock on our front door. We don’t want anyone to break in and steal our stuff, or worse, harm people. In the same way, we don’t want cyber criminals to hack into our systems and gain access to sensitive data like health records, financial information or government data.

The government has recently rolled out its new Cyber Security Strategy, with a particular focus on building a cyber-resilient public sector. Let’s be real – resilience is key if we’re going to make the UK a cyber powerhouse in a world that’s constantly being shaped by ever-evolving technologies.

The strategy makes it clear that the government is still a prime target for all sorts of malicious actors, with a staggering 40% of incidents in 2020-21 affecting the public sector. Why? Because they offer important services and handle sensitive data, which makes them a juicy target for any hacker looking to make a name for themselves.

We get it – security testing can be a real headache in the development process. Unless you’re a security pro, it’s easy to put it on the back burner until your IT/compliance teams start making some noise. Unfortunately, this can cause major holdups in launching your service, even after all the hard work your comms and digital teams have put in. That’s why we, along with LocalGov Drupal (LGD) and other suppliers, follow an approach to ensure that our services are secure from the outset. By shifting security testing to the left, we establish a baseline for our security posture and provide our clients with peace of mind from the very beginning. This means less delays or headaches caused by security vulnerabilities that are discovered later in the development process.

Together with The SecOps Group, we make sure our services meet the defined security principles for the public sector, resulting in online experiences that are not only accessible and user-friendly, but also secure. So, here’s what we’ve done to give councils the confidence they deserve when choosing LGD as their website solution.

40% of all cyber security incidents in 2020-21 targeted the public sector.

Non-Negotiable Security Standards

The UK Public Sector has been very open and active in promoting the use of open source software’s such as Drupal. One of the reasons for this is the rigorous security testing and auditing process that this type of software abides by, and how proactive the processes are for identifying and fixing any vulnerabilities.

Regardless of any service you use, be it Drupal, Umbraco, WordPress or Microsoft, your websites and any digital services within the UK Public Sector are required to meet specific security standards before the service can be launched. These standards are outlined in the Cyber Assessment Framework (CAF) by the National Cyber Security Centre in the form of 14 key principles, which provides a risk-based approach to security, which suppliers have to prove they meet as part of their service.

Additionally, public sector services are subject to the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), which requires suppliers to prove how their service will protect personal data and sensitive information.

To us folk that specialise in Communications, Digital and/or User Experience, we know we must meet these standards, but how can you be sure that your chosen suppliers and platforms actually do this? The short answer is you shouldn’t have to worry, as the product and/or supplier should proactively provide this for you. With that in mind, here’s how we approached proving whether or not LGD meets these standards.

What is LocalGov Drupal (LGD)?

LocalGov Drupal (LGD) is a community of developers, content designers and digital leaders from local councils across the UK. They collaborate to develop a best practice, open source website publishing platform that is freely available to all UK councils. They work together to improve our own websites, and to create public digital assets for the benefit of all. Together we aim to create sector wide digital transformation by developing a shared pool of code, resources, research and expertise.

Putting LocalGov Drupal's (LGD) Security to the Test

Built on Drupal, LGD is a shining example of the power of open-source collaboration and community-led initiatives. By bringing together councils to work towards building better services for their citizens, this platform showcases the incredible potential of teamwork and shared expertise. Through research-driven insights and a focus on meeting the needs of communities, LGD not only delivers innovative and industry-leading software, but also allows councils with small budgets to benefit from cutting-edge technology. 

With a focus on fostering collaboration within the community, coupled with our commitment to security, we were keen to contribute and promote the excellent work carried out by LGD in revolutionising citizen services for local authorities and the broader public sector over the past three years. We therefore decided to investigate the topic of security with those who are and are not involved in LGD to determine whether the service is truly secure.

Invuse and The SecOps Group worked together to build a scope and design an approach for conducting application penetration testing on the LocalGov Drupal Core Distribution. The aim was to understand and demonstrate how secure LGD actually is out of the box, and provide a report that any council can immediately show to their colleagues in IT/Security. 

To ensure the penetration testing was relevant to everyone using LGD, the scope included all code and features that every installation has out of the box, without any customisations that individual councils may have made.

"After a thorough assessment of the tested LocalGov Drupal web application, we can confidently say that LocalGov Drupal is a secure platform, built by experts following industry best practices."
Sumit Siddharth
Founder of The SecOps Group

Our Battle-Tested Strategy

LocalGov Drupal (LGD) offers a core distribution that councils can enable and benefit from a suite of features that have been developed with councils, for councils based on the real-world needs of their various audience types. In the spirit of open source, they can also work with their in-house developers and/or partners to develop additional features and integrations that can then follow a defined process to release back to the Drupal and LGD community for others to benefit from.

It is crucial to consider that certain councils and their Drupal agency partners may develop extra features or functionality for LocalGov Drupal that are not included in the core distribution. Although these developments may be customised to satisfy specific local government requirements, they may not have undergone testing as part of the platform’s core distribution.

Therefore, it is difficult to verify if they meet expected security criteria outlined in the platform. It is critical to arrange for these additional features to be tested to guarantee that they do not jeopardise the security and stability of your website and potentially affect LocalGov Drupal in the future.

The scope for this security testing was specifically Web Application Penetration Testing on the LGD core distribution codebase, which all councils that are part of the LGD community use regardless of customer development at later stages.

The Testing Frameworks

The frameworks and criterias that were used to deliver the testing against, included:

  • OWASP
  • PTES
  • NCSC CAF 
  • NIST

The Testing Objectives

Based on the scope and the nature of the LGD application, the objectives for this testing were as follows. 

  1. To assist the client in improving their overall security posture as per its security and business requirements.
  2. To gain unauthorised access to the target application/host/system.
  3. To identify security misconfigurations.
  4. To discover instances of sensitive data exposure.
  5. To assess and report weaknesses in the network and/or application.
  6. To advise the customer on additional defence-in-depth measures and industry best practices that could further improve their security posture.

Uncovering the Skeletons in LocalGov Drupal's Closet

Over a period of 10 days of testing, the findings from the assessment included 10 vulnerabilities, none of which were direct risks of exploitation to the LocalGov Drupal application itself, but more best practice guidance on installing and configuring LGD. These included:

0
Informational Vulnerability
0
Low Vulnerabilities
0
Medium Vulnerabilities
0
High Vulnerability

We found some good stuff too!

In addition to the vulnerabilities, the testing also uncovered some positive findings that deserve to be highlighted.

  • The application implemented access controls that prevented the assessment team from exploiting Insecure Direct Object References (IDOR).
  • The assessment team did not find SQL Injection, Operating System Code Injection, or other related vulnerabilities.
  • The applications were available only on encrypted channels such as TLS and no cleartext protocols were in use.
  • The application implemented input validation and output encoding, which prevented the assessment team from identifying and exploiting the Cross-Site Scripting (XSS) attacks.
  • The application implemented robust URL normalisation mechanisms, which prevented the assessment team from identifying and exploiting attacks such as Path Traversal, Open Redirection, etc.

The Bottom Line: LocalGov Drupal's Security in a Nutshell

The truth is, we didn’t find any skeletons hiding in LocalGov Drupal during our application security testing. In fact, the results couldn’t have been better. While the testing did uncover one critical issue and a few medium/low priorities, the critical issue was related to a core module that still exists in Drupal 10 and has already been reported. As for the medium and low priorities, they were a result of decisions made by individual agencies when installing and configuring the distribution, rather than vulnerabilities with the distribution code itself.

Who are Invuse and The SecOps Group?

Teaming up with The SecOps Group brings together three of the fundamental values that the UK Public Sector champions: User Research, Accessibility, and Security. Together, Invuse and The SecOps Group have been working with the UK Public Sector and the Drupal open source community for more than a decade. As proven and trusted suppliers, we have extensive experience in researching, designing, developing, and testing over 50 platforms for a diverse portfolio of 48 clients.

Together, our mission is to help councils create secure, user-focused LocalGov Drupal (LGD) instances that are inclusive and cater to the needs of their end users. We achieve this by empowering councils across the UK with the knowledge and tools they need to design and build LGD instances that are informed by user research, stakeholder and councillor engagement, and accessibility considerations for those who use assistive technologies.

Invuse specialise in crafting inclusive digital experiences for the Public Sector, achieved through our provision of user research, digital accessibility, and content services. With 15+ years Public Sector experience, our mission is to connect the dots between what your users want and your organisation’s goals. We’ll help you discover what users need and deliver quality, inclusive digital communication experiences designed with people at the core.

The SecOps Group

The SecOps Group is a globally recognised IT security company with extensive experience providing cyber security consulting and educational services in the UK Public Sector. Their knowledge and experience ensures they’re well-equipped to support the UK Government in their ongoing efforts to safeguard against emerging threats. Their core belief is that security must be an ongoing process that evolves over time, in response to changing customer needs and the ever-evolving threat landscape.