A study from the North Carolina State University discovered that projects which are using open source libraries are updated 60% more often when using automatic updates via pull requests. The base of the study are 7,470 repositories on GitHub. This blog post is a summary of the most important facts and highlights of the methods, challenges and tools when it comes to use of automation for reaching a higher security level while using open source libraries.
There are 3 main facts why open source updates are a pain for developers
Developers are always busy and doing updates is no fun
Our CEO Manuel spoke at the IPC 2017 in Munich about DevSecOps automation. We took a look around and picked the two other security related sessions which struck our eyes.
Dip Your Toes in the Sea of Security - by James Titcumb
Two days ago another highly critical security update affected Drupal and many other CMS systems. It was the PHPMailer Library which leaves millions of websites vulnerable to the remote exploit (see https://www.drupal.org/psa-2016-004 for details). In comparison to Drupalgeddon which had a risk of 25/25 this update has 23/25. BUT there are some things which make this update even riskier than Drupalgeddon:
A lot of Drupal community members, who are interested in or already use Drop Guard, were waiting for this ultimate guide on continuous security in Drupal. Using Drop Guard in a daily routine improved update workflows and increased the efficiency of the website support for all of our users. But there were still a lot of blind spots and unexplored capabilities such as using Drop Guard as an "SLA catalyser". So we've stuck our heads together and figured out how to share this information with you in a professional and condensed way.
It's no secret that Drupal's success depends heavily on the collaborative community culture and the continuous communication process between all members of the community. It’s not for nothing that we embrace the “come for the code, stay for the community” mantra.
Today we're asking you - an agency, freelancer or a lone webmaster - to think with us a little bit about the quality of security protection your service provider delivers to ensure your website and online services are running smoothly.
We want to thank Tim Wayne from UAB Collat School of Business for the following security guest post!
Despite the news of security exploits and data breaches that shakes our confidence in information security on a daily basis, one of the biggest threats to security at work continues to be carelessness — at least according to the majority of business owners and managers as illustrated in the graphic below.
Dublin, 27. Sept. 2016. “Describe the DrupalCon in just one word!” - “EXCITING!”
First of all, I want to thank everyone who made my first DrupalCon this awesome and extra special!
Our whole team enjoyed a week full of new experiences, great sessions and - of course - old and new friends! The place, Dublin, was perfect to “seal” a new friendship or strengthen an old one with a good morning coffee (thanks to Commerce Guys by actualys and Mailchimp, the two coffee break sponsors!) or a good cold Guinness (I tried to remember the bar names, but actually I guess I sealed a lot of new friendships..).
Being casual about open source security is not funny. Headlines like the Panama Papers this year showed that an improvident dealing with security and updates can cause a huge damage. Fees are still a crucial reason for people to hesitate to secure their business by using charged services. This is not a pitty - this is grave.
There are many people out there who give a lot without receiving a reward. They see more benefits in helping and strengthen people, any kind of living being or purpose than in a regular salary.
As always, Drupal Security Team did an excellent job and the news on the security vulnerabilities reported on Wednesday wasn't a bombshell for most of us. Everyone had a chance to prepare and pre-allocate resources to take all measures necessary to patch the supported websites.
A quick recap for those who missed the buzz or just slowly waking up right now.
Two weeks ago we decided to run a little survey asking Drupal folks one simple, but provocative question “Why I don’t update my website continuously”. I decided to present you the results - and I can tell that some serious voices got out!
First, I want to speak highly of least 38 of 78 participants, who actually update their website continuously and seem to know exactly what happens if they wouldn’t do it.