Security | Modules Unraveled
- What is a site audit?
- Why would you do one?
- Intended audience
- New clients? Existing clients?
- What are the goals of a site-audit?
- How do you approach a site audit?
- What are some other approaches you’re aware of?
- What tools and techniques do you use?
- How do you present the results?
- How often should you do them?
- What are some things to avoid?
Drupal 6 End of Live
- What does Drupal 6 EOL mean?
- When is Drupal 6’s End-Of-Life (EOL)?
- February 24th
- Why is support for Drupal 6 being dropped by the Drupal project in the first place? (ie. why does our community even do this?)
- What makes Drupal 6’s End-of-Life (EOL) different than previous ones (ie. Drupal 5)?
- What, specifically, will happen after February 24th?
- All D6 modules will be marked as “unsupported” on Drupal.org - which will mean the ‘update’ module will start telling you that ALL your modules are out-of-date
- Also, the status information that the ‘update’ module uses could go away at any time - so, you’ll no longer be able to rely on that in general (myDropWizard or another vendor MAY create a replacement for the ‘update’ module…)
- The Drupal security team will no longer be making Security Advisories (or coordinating security releases)
- In general, most module maintainers will no longer pay attention to Drupal 6 issues and will stop making new releases
- What should people with Drupal 6 sites do?
- Archive the site, or
- Plan upgrade, and
- If you can’t upgrade by February 24th, buy Drupal 6 Long-Term Support from one of the “official” vendors:
- What makes the “official” vendors special (vs. any other vendor)?
- Get confidential information from Drupal security team
- Agree to follow security team processes and release all security patches publicly
- Were vetted by the Drupal security team
- How will the Drupal 6 LTS work?
- Same process as security team - but work done by vendors rather than security team
- Will publish patches on the D6LTS project:
- Likely, but not 100% decided:
- Announce new patches on the D6LTS issue queue
- Make new Pressflow 6 releases with the Drupal core patches
- So, can the community get this without working with a vendor?
- But each vendor only supporting those modules their customers depend on
- And what about security issues that hackers find first?
- What does myDropWizard.com do? And how is your offer different than the other vendors?
- “myDropWizard.com provides 24/7 support and maintenance from Drupal experts for a fixed monthly fee. We keep your site online, up-to-date and secure!”
- Our Drupal 6 Long-Term Support offer:
- making security fixes
- fixing bugs
- performing one-off maintenance and support tasks on request
- getting your site back online in the case of an outage, and
- remediation if your site gets hacked.
- Basically, keep your site online and secure until you’re ready to upgrade - and we can help with a D7 or D8 upgrade as well
- Technical questions about how we do what we do?
- Your offering includes a whole bunch of stuff! Why don’t you have a “security updates only” offering?
Let me start out by stating that I don't know the technical implications of an autocomplete feature. Okay? I don't have the answer. I'm just looking for information. Best case, I can help get something started that will benefit the entire Drupal community in the future.
With that out of the way, I firmly believe that anything is possible with Drupal. And with the "Drupageddon" of late, an auto update feature would be greatly appreciated by many, I'm sure. (I certainly would have benefited from one.)
Rollback a server backup (files and database) from before October 15th 2014.
No server backup?
- Run "git status" to find new and modified files.
- Delete new files
- Checkout modified files
- Thouroughly check files directory for anything unusual.
- Make sure the .htaccess file in the files directory restricts code execution
- Restore database from pre Oct. 15th backup
- Update Drupal Core to latest release
... Read on for details...
The Drupal Security Team
- What type of people are on the Drupal Security Team?
- Mostly coders, some project managers, core maintainers
- What does the security team do?
- We fix issues in drupal
- Resolve reported security issues in a Security Advisory
- Provide assistance for contributed module maintainers in resolving security issues
- Provide documentation on how to write secure code
- Provide documentation on securing your site
- Help the infrastructure team to keep the drupal.org infrastructure secure
- What doesn’t the security team do
- projects without stable releases
- Site support
- Set policy around security with the security working group.
- Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
- How can others get involved?
- What was the recent bug that was fixed
Questions from Twitter
- Paulius Pazdrazdys
How this latest security release is different from others? Do you have any information if this bug done any harm before release?
The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
- Carie Fisher
When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
- David Hernandez
What is the average time from discovery to announcement?
- Damien McKenna
@ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
- Heine Deelstra
How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
- Mark Conroy
I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
Are there plans for some sort of bounty program run by DA maybe?
- David Hernandez
What kind of work does the security team do besides review code? What is the administrative overhead?