Drupal is renowned for its flexibility and extensibility, proven by the sheer number of high quality modules available.
By using common modules in Drupal deployments, we not only increase functionality quickly and easily, but massively reduce costs whilst benefitting from community security updates. This approach also ensures complete portability for our clients in the future. These are primary reasons why open source solutions are in such high demand.
The Drupal community has an exceptional security team that performs audits and manages the process of communicating their security update findings to module owners.
As an agency of passionate Drupal developers and active Drupal community contributors, every week S8080 get notifications from Drupal on any security releases along with alerts from other specialist tools we use.
These tools monitor all of the Drupal sites that we maintain, to identify all the relevant updates that need to be made to the Drupal core and the modules running on those sites – this ensures nothing is ever missed.
Our ISO/IEC 27001 secure development policies means we have strict protocols in place to ensure our website and online applications are patched quickly and to reduce exposure to any emerging vulnerabilities. When updates need to be made, we prioritise them based on severity and our team will deploy them to the sites that we mange for our clients. Our clients are therefore assured that their Drupal CMS is running the latest and most secure code.
How is Drupal and the modules kept secure?
If you are interested in understanding a bit more on how Drupal’s security team work, then this is a very interesting article: https://www.acquia.com/gb/node/2023186. Their infographic explains the process so well!
Source: Acquia.com
How does S8080 help the Drupal community keep Drupal secure?
Our Drupal developers are very active in the Drupal development community; it’s common for them to be working on modules and providing updates back to the community. For example, on the 20st April, a commonly used 3rd party module ‘EPSA Crop’ was announced to have a security vulnerability – initially no details were issued to allow the community to react.
This module allows editors to crop the images they upload to their Drupal site, so they don’t have to use third party graphics packages. The owner of this module was no longer available to maintain ESPA Crop, and therefore the central Drupal security team recommended that it should be uninstalled and no longer used. However this would mean that the thousands of sites using the module around the world would suddenly show images uncropped and full-size, causing websites to look terrible – something nobody wants.
This is where s8080 and the Drupal community came into play. We use EPSA Crop to provide an enhancement to the way users manage images in their site, we consider this module to be of importance to us and our clients, so as soon as we were notified of the issue we set about working on a fix for our clients and the whole community.
After quick initial investigations, before the details of the vulnerability were released, we spotted the potential problem and immediately started working on a fix for our Drupal sites and the community as a whole. We deployed the hot fix to the sites that we manage and support to protect them immediately. Once the official security vulnerability details were released, we were pleased to find that our investigations were correct and we were able to submit our patches / fix to Drupal very early for review by the community. Along with our patches and those of other members of the community, an official fix was released. We then set about the process of updating all of our managed sites with the official fix.
In this particular instance, S8080’s proactive approach to security and our interaction with the Drupal community meant that our managed service clients benefitted from very early protection from potential hacking attempts. And without resorting to making their sites look dreadful by removing the module! Just as importantly the community and other websites benefited from our work by getting a fix to the module very quickly.
We think this is a great way to work.
