If you are looking for slides from last Drupal meetup in Prague, Czech Republic, here you go. I gave a presentation about Drupal Security (again :)

Even if most of us will not get to Drupalcon, we still have our Security Cheat Sheets there. Get them at any of the security presentations. This is an online version of the sheet:

Basic standards

• Avoid FTP at all cost
• Use SCP, FTPS or SFTP
• Is your hosting safe? http://tinyurl.com/safe-hosting
• Use Suhosin with PHP http://tinyurl.com/suhosin-drupal
• Backup your files, database. Store the backup off-site

Stay on track

• Enable e-mail status at Reports -> Available updates -> Settings

Drupal Forms API is a great tool for creating Forms in Drupal. It is very secure and protects both the user and developer against things like Cross Site Request Forgery or Cross Site Scripting attacks. There are however certain parts that have been confusing for developers for a long time now.

Checkboxes & Radios

FAPI Checkboxes and radios #options aren't automatically protected against Cross Site Scripting. You, as the developer, have to take care of that manually.

Code

There are definitely many webhosting companies around, some of them good and most bad :) How to choose between them in terms of security?