Security | Modules Unraveled

161 Website Audits and How to Do Them Right with Jon Peck - Modules Unraveled Podcast

Photo of Jon Peck

Website Audits

  • What is a site audit?
  • Why would you do one?
  • Intended audience
    • New clients? Existing clients?
  • What are the goals of a site-audit?
  • How do you approach a site audit?
    • What are some other approaches you’re aware of?
  • What tools and techniques do you use?
  • How do you present the results?
  • How often should you do them?
  • What are some things to avoid?

152 What to Do About Drupal 6 End of Life on Feb 24th 2016 with David Snopek - Modules Unraveled Podcast

Photo of David Snopek

Drupal 6 End of Live

  • What does Drupal 6 EOL mean?
  • When is Drupal 6’s End-Of-Life (EOL)?
    • February 24th
  • Why is support for Drupal 6 being dropped by the Drupal project in the first place? (ie. why does our community even do this?)
    • What makes Drupal 6’s End-of-Life (EOL) different than previous ones (ie. Drupal 5)?
  • What, specifically, will happen after February 24th?
    • All D6 modules will be marked as “unsupported” on - which will mean the ‘update’ module will start telling you that ALL your modules are out-of-date
    • Also, the status information that the ‘update’ module uses could go away at any time - so, you’ll no longer be able to rely on that in general (myDropWizard or another vendor MAY create a replacement for the ‘update’ module…)
    • The Drupal security team will no longer be making Security Advisories (or coordinating security releases)
    • In general, most module maintainers will no longer pay attention to Drupal 6 issues and will stop making new releases
  • What should people with Drupal 6 sites do?
    • Archive the site, or
    • Plan upgrade, and
    • If you can’t upgrade by February 24th, buy Drupal 6 Long-Term Support from one of the “official” vendors:
  • What makes the “official” vendors special (vs. any other vendor)?
    • Get confidential information from Drupal security team
    • Agree to follow security team processes and release all security patches publicly
    • Were vetted by the Drupal security team
  • How will the Drupal 6 LTS work?
    • Same process as security team - but work done by vendors rather than security team
    • Will publish patches on the D6LTS project:
    • Likely, but not 100% decided:
      • Announce new patches on the D6LTS issue queue
      • Make new Pressflow 6 releases with the Drupal core patches
  • So, can the community get this without working with a vendor?
    • Yes!
    • But each vendor only supporting those modules their customers depend on
    • And what about security issues that hackers find first?
  • What does do? And how is your offer different than the other vendors?
    • “ provides 24/7 support and maintenance from Drupal experts for a fixed monthly fee. We keep your site online, up-to-date and secure!”
    • Our Drupal 6 Long-Term Support offer:
      • making security fixes
      • fixing bugs
      • performing one-off maintenance and support tasks on request
      • getting your site back online in the case of an outage, and
      • remediation if your site gets hacked.
    • Basically, keep your site online and secure until you’re ready to upgrade - and we can help with a D7 or D8 upgrade as well
  • Technical questions about how we do what we do?
  • Your offering includes a whole bunch of stuff! Why don’t you have a “security updates only” offering?

122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast

Photo of Greg Knaddison and Michael Hess

The Drupal Security Team

  • What type of people are on the Drupal Security Team?
    • Mostly coders, some project managers, core maintainers
  • What does the security team do?
    • We fix issues in drupal
    • Resolve reported security issues in a Security Advisory
    • Provide assistance for contributed module maintainers in resolving security issues
    • Provide documentation on how to write secure code
    • Provide documentation on securing your site
    • Help the infrastructure team to keep the infrastructure secure
  • What doesn’t the security team do
    • projects without stable releases
    • Site support
    • Set policy around security with the security working group.
  • Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
  • How can others get involved?
  • What was the recent bug that was fixed

Questions from Twitter

  • Paulius Pazdrazdys
    How this latest security release is different from others? Do you have any information if this bug done any harm before release?
  • aboros
    The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
  • aboros
    Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
  • Carie Fisher
    When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
  • David Hernandez
    What is the average time from discovery to announcement?
  • Damien McKenna
    @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
  • Heine Deelstra
    How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
  • Mark Conroy
    I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
  • aboros
    Are there plans for some sort of bounty program run by DA maybe?
  • David Hernandez
    What kind of work does the security team do besides review code? What is the administrative overhead?