A study from the North Carolina State University discovered that projects which are using open source libraries are updated 60% more often when using automatic updates via pull requests. The base of the study are 7,470 repositories on GitHub. This blog post is a summary of the most important facts and highlights of the methods, challenges and tools when it comes to use of automation for reaching a higher security level while using open source libraries.
There are 3 main facts why open source updates are a pain for developers
Developers are always busy and doing updates is no fun
Our CEO Manuel spoke at the IPC 2017 in Munich about DevSecOps automation. We took a look around and picked the two other security related sessions which struck our eyes.
Dip Your Toes in the Sea of Security - by James Titcumb
Automatic updates have been discussed since years already. The pro and con of letting Drupal update itself are discussed in different Drupal.org issues queues. It was not a big surprise that Dries mentioned automatic Drupal core updates as part of the strategic roadmap of Drupal in his Driesnote at DrupalCon Vienna 2017.
While working with other agencies and NGOs during the last 1,5 years, we collected more and more information about the time and money that Drop Guard will save your agency. On our website, we claim that Drop Guard will cut your update costs by 40%. CTOs and COOs want to challenge numbers like this and ask how exactly this ROI is calculated. That’s why I want to share the detailed information in this blog post with you.
Security updates are released every Wednesday. If you work in a Drupal shop that cares about security, you have to apply updates for every site every Wednesday or at least Thursday.
With the end of September, DrupalCon Vienna is also coming closer and we can't wait to welcome you to our booth #S08. As a Silver sponsor of the event, we'll have the chance to present continuous update management to you on site. But - we also can't wait to learn a lot from other agencies and attendees! At DrupalCon there's always a chance to learn something new, be it a whole new approach or a connecting piece of unidentified issues - by asking but most of all by listening.
Drop Guard is in a continuous process of optimization and development. As it is still a unique platform concept on the market place, we started years ago with a sketchy blueprint of what Drop Guard is today - and rather will be in future. With this post I will give you a quick overview of what is planned and something which is a little secret between you and me.
When it comes to new tools, different workflows or any other kind of process changes, a company needs to ensure that the changes happen as smooth and resource saving as possible.
Drop Guard will undergo some big improvements this year to keep this switch for our users, developers, small Drupal shops and big agencies, as simple as possible. Besides outside-feedback from customers, we always love to hear the thoughts of our own team members. This time, we want to share an interview with our web developer Serkan Bekdemir, who’s now responsible for the Drop Guard usage in our own company, Bright Solutions.
Enjoy a scoop of honest critique and suggestions!
We, at Drop Guard, never stop thinking what else can we do to help Drupalistas around the world to get aboard of the continuous update process ship (as we call it) as soon as possible. More and more threats are being discovered every day, and it's absolutely imperative to stay alerted all around the clock either with help of automation platforms like Drop Guard or doing things your own way.
The holiday season was a lot of fun for the Drop Guard team, but also very busy. We've worked hard to deliver a whole package of impressive features and improvements to our update management platform. Big plans were also made for 2017. Without further hesitation let's start the New Year with the news!
Two days ago another highly critical security update affected Drupal and many other CMS systems. It was the PHPMailer Library which leaves millions of websites vulnerable to the remote exploit (see https://www.drupal.org/psa-2016-004 for details). In comparison to Drupalgeddon which had a risk of 25/25 this update has 23/25. BUT there are some things which make this update even riskier than Drupalgeddon: