There is no question about the importance of regularly updating your Drupal installation, including core, contribs, and libraries.
No matter how you manage the workflow - by using dedicated tools, custom scripts, or just update the codebase via FTP - keeping the application's 3rd party code always up-to-date is a must for every open source project.
Without getting into the details of why this is important (in fact we believe our readers don't need to be convinced at all), we decided to imagine the consequences of intentionally ignoring all updates in your project or updating the codebase selectively, when some modules get their new versions regularly and the rest remains outdated.
Michael Schmid , Group CTO at Amazee, conduces his team with creativity and an amount of know-how you wouldn’t think his age would possess! Amazee Labs, a web-hosting, web-consulting and development company, started their Drupal security of 2016 with Drop Guard. And amazee.io the just launched Drupal Hosting platform built for develeopers, which has a full integration into Drop Guard.
2nd May 2016: amazee.io just launched their Drupal hosting platform built for develeopers, which has a full integration into Drop Guard. And that’s when our common story started.
The Amazee team just dedicate themselves to the Drupal world: “We’re a secure, high-performance, cloud-based hosting solution built for folks who love their Drupal sites as much as we do”.
Encryption has gone mainstream. Thanks to the numerous data breaches (781 during 2015 in the U.S. alone) data security is a top priority for businesses of all sizes. Semi-vague language like “we ensure our data is protected” from IT teams is no longer good enough to satisfy the concerns of business executives and their customers. CEOs are losing their jobs and companies are suffering financial losses/fines that reach into the millions of dollars when poorly encrypted or un-encrypted data is lost.
Drupalgeddon vulnerability, also known as SA-CORE-2014-005 affected millions of websites back in 2014 and we believe it started a new era for the Drupal community. It became apparent that if you don't want to put your website or business to a huge risk it's not enough to check for its status once a month, or even once a day - you should be continuously and tirelessly be scanning all available sources of information for potential security vulnerabilities in your code, being prepared to take immediate action.
We, at Drop Guard, are extremely concerned about all things Drupal security. Security is not something that can be taken for granted after ordering a security review, or passing through a "security checklist", or even after switching to Drop Guard for updates handling. We should always remember that security is a continuous process, and it consists of numerous bits and pieces requiring your attention all the time.
Luckily enough, Drupal is a highly modular system, and instead of reinventing the wheel we can take advantage of the existing and battle tested solutions which are aimed at helping us with ensuring the continuous security for our applications.
We've collected the essential security-related modules in our view, and split them into two categories - passive (designed to monitor and provide information) and proactive (designed to take action or make changes to application configuration to ensure stronger security).
6 January 2016 was a memorable day for the Drupal community. Probably for the first time since the Drupalgeddon a vulnerability with potential to affect millions of websites was discovered. The report on the insecure Drupal update process, published by IOActive, got immediate traction and responses from Acquia, Drupal Security Team and major players in the community.
David Snopek makes our "Drupal Security Expert Interview" series round! He is a founder of myDropWizard.com and a long-time Drupal developer and community member. Among other things, he co-maintains the Panopoly distribution, is a member of the Drupal security team, and co-organizes the local Drupal meetup group in Milwaukee, WI. Enjoy his expert estimation below!
In this second interview of the "Drupal Security Expert" series we're pleased to welcome Mike Gifford. Mike is the president of OpenConcept Consulting Inc, a Canadian Benefit Corporation that specializes in open-source web development and hosting. He is a Drupal 8 Accessibility Maintainer and also passionate about security and privacy. He is the author of the Drupal Security Best Practices - a practical guide which summarizes many of the ways to tighten the security of your Drupal site, which is available for free - http://openconcept.ca/drupal-security
Greg Knaddison is a longtime member of the Drupal Security Team and was the Team Lead for two years. He currently leads the engineering team at CARD.com, a mobile alternative to traditional branch banks. In 2008, Greg published Cracking Drupal, the only book to cover the topic of Securing Drupal Sites. In the interview below he reveals his security expert assessment of current questions about Drupal 8 - get secure!