Michael Schmid presents their amazee-ing Drupal Security
Michael Schmid , Group CTO at Amazee, conduces his team with creativity and an amount of know-how you wouldn’t think his age would possess! Amazee Labs, a web-hosting, web-consulting and development company, started their Drupal security of 2016 with Drop Guard. And amazee.io the just launched Drupal Hosting platform built for develeopers, which has a full integration into Drop Guard.
We were counting the days until we could present you their thoughts and motivations. We’re happy to welcome Michael, enjoy his answers below!
Hi Michael, great to see you. Let’s dive directly into our interview, there’ll be a lot of how’s and why’s!
Some stirring news just kept the Drupal community busy: the Panama Papers scandal, a lot of rocking Drupal 8 module releases and a lot of hot discussions. What affected your thoughts and daily work the most in the last days?
The scandal itself did not affect our daily work, lucky us! But of course as a Hoster and Drupal Agency we keep ourselves up to date on any technical and security news around the world. So an event like the Panama Papers, where a not updated Drupal maybe even has let to the leak of the data, is very interesting and got discussed quite a lot in the office and our slack channels. Of course it’s good to be reminded how important it is to think about security and updating websites regularly.
Was Drop Guard a good backing these days?
Drop Guard just gives you a good feeling, it let’s you sleep better. To know that there is something protecting you from the crazy world out there allows us to concentrate on what we really should: building awesome websites.
How did you take notice of Drop Guard and why did you decide to start using it for your updates?
Hard to say, I think I heard from it from a lot of different places. I was sold on it when I realized that Drop Guard has these two features:
It allows you to use your existing systems, even your existing Git server. You just need to add an SSH Key to your projects and done. This allows you to keep everything how it was and do not need to change anything on your existing workflows
You can define custom workflows inside of Drop Guard. Like to deploy Highly Critical Patches fully automatically to the production environment, and for regular feature upgrades to a testing branch, which then can be tested by the team and client.
How much time did you spend on updates before you employed Drop Guard?
It’s hard to say, we didn’t really have a good process around it. It was mostly me reading the security announcements every wednesday and if something had to be upgraded to either upgrade it myself or on the next day together with the team. A not very sustainable and scalable process.
Drupalgeddon - did this specter impact your business back in 2014, before you could defend your business with Drop Guard from Drupalgeddon’s repercussion in 2016?
Fortunately we were prepared :) The Drupal Security Team announced already a couple of hours before, that there will be a very important security update for Drupal Core. So we basically all stayed in the offices on this wednesday evening and waited for the patch to be released.
The first reaction was definitely: “oh wow”
After the first small shock, we started to apply the patch to all our sites. We already had at that time fully automated deployment systems, so we only had to commit the patch into our Git repositories and our systems took care of deploying the patch.
It took us roughly 3 hours to upgrade the 70 Drupal 7 sites we had at that time.
Our waiting and fast reaction proofed us right: Couple hours later there were already first exploits circulating in the internet. Plus our honeypot website, which specifically does not have Drupal patched, got hacked a couple of days later.
But as we survived Drupalgeddon very well, it was definitely scary and eye-opening for us.
“Update your Drupal projects automatically, otherwise ….”
... it will go bad, so bad that you even can unintentionally change the world, like in the case of the Panama Papers.
Are there benefits for your clients and your business you can point out since you used Drop Guard?
It’s a huge timesaver and we finally have a process around keeping our more than 100 Drupal sites up to date and secure.
Our clients are happy because they know that their sites are secure and my developers are happy because they not only can focus on what they like do most.
Of course initially the costs can maybe sound scary, but the amount that somebody spends on unhacking a website or just upgrading a website that has not been upgraded for 2 years is very very high and much more expensive.
Tell us more about the reason why you decided to partner with Drop Guard and amazee.io
Amazee.io is fully focused on the developer, to make their daily live easier. So we’ve built local development environments which are exactly the same setup like our development or production environments. Or fully automatically deployments, where you just need to push your code in your Git.
To partner with a tool like Drop Guard was just a logical step for us, the easier it is for developers to keep their sites up to date, the better for all of us.
How does an integration process with Drop Guard and amazee.io look like?
Amazee.io is fully based on Git, but does not force you to use a specific git provider. Like Drop Guard itself, we just need access to the Git repository. Amazee.io has the concept of branch based sites, so each site like ‘develop’ and ‘production’ is connected to a branch with the same name. If you push into the ‘develop’ branch, the code will end up on the ‘develop’ site.
You can now configure Drop Guard to use exactly these branches and define different strategies for different types of security releases.
At Amazee Labs we push Highly Critical security updates into the production branch, which is then fully automatically deployed on the production site. Without a single interaction of a developer. All other security updates are pushed into a release branch, which is then tested by the CI system and a new Jira Task created and assigned to the corresponding development team.
But again, we don’t force anything onto our clients, everything can be fully configured according to the wishes of the developers.
Michael, thank you so much for your time and these insights into your security considerations and amazee.io!