Website Audits

• What is a site audit?
• Why would you do one?
• Intended audience
  • New clients? Existing clients?
• What are the goals of a site-audit?
• How do you approach a site audit?
  • What are some other approaches you’re aware of?
• What tools and techniques do you use?
• How do you present the results?
• How often should you do them?
• What are some things to avoid?

Drupal 6 End of Live

• What does Drupal 6 EOL mean?
• When is Drupal 6’s End-Of-Life (EOL)?
  • February 24th
• Why is support for Drupal 6 being dropped by the Drupal project in the first place? (ie. why does our community even do this?)
  • What makes Drupal 6’s End-of-Life (EOL) different than previous ones (ie. Drupal 5)?
• What, specifically, will happen after February 24th?
  • All D6 modules will be marked as “unsupported” on Drupal.org - which will mean the ‘update’ module will start telling you that ALL your modules are out-of-date
  • Also, the status information that the ‘update’ module uses could go away at any time - so, you’ll no longer be able to rely on that in general (myDropWizard or another vendor MAY create a replacement for the ‘update’ module…)
  • The Drupal security team will no longer be making Security Advisories (or coordinating security releases)
  • In general, most module maintainers will no longer pay attention to Drupal 6 issues and will stop making new releases
• What should people with Drupal 6 sites do?
  • Archive the site, or
  • Plan upgrade, and
  • If you can’t upgrade by February 24th, buy Drupal 6 Long-Term Support from one of the “official” vendors:
    • https://www.drupal.org/node/2646980
• What makes the “official” vendors special (vs. any other vendor)?
  • Get confidential information from Drupal security team
  • Agree to follow security team processes and release all security patches publicly
  • Were vetted by the Drupal security team
• How will the Drupal 6 LTS work?
  • Same process as security team - but work done by vendors rather than security team
  • Will publish patches on the D6LTS project:
    • https://www.drupal.org/project/d6lts
  • Likely, but not 100% decided:
    • Announce new patches on the D6LTS issue queue
    • Make new Pressflow 6 releases with the Drupal core patches
• So, can the community get this without working with a vendor?
  • Yes!
  • But each vendor only supporting those modules their customers depend on
  • And what about security issues that hackers find first?
• What does myDropWizard.com do? And how is your offer different than the other vendors?
  • “myDropWizard.com provides 24/7 support and maintenance from Drupal experts for a fixed monthly fee. We keep your site online, up-to-date and secure!”
  • Our Drupal 6 Long-Term Support offer:
    • http://www.mydropwizard.com/drupal-6-lts
    • making security fixes
    • fixing bugs
    • performing one-off maintenance and support tasks on request
    • getting your site back online in the case of an outage, and
    • remediation if your site gets hacked.
  • Basically, keep your site online and secure until you’re ready to upgrade - and we can help with a D7 or D8 upgrade as well
• Technical questions about how we do what we do?
• Your offering includes a whole bunch of stuff! Why don’t you have a “security updates only” offering?

The Drupal Security Team

• What type of people are on the Drupal Security Team?
  • https://security.drupal.org/team-members
  • Mostly coders, some project managers, core maintainers
• What does the security team do?
  • We fix issues in drupal
  • Resolve reported security issues in a Security Advisory
  • Provide assistance for contributed module maintainers in resolving security issues
  • Provide documentation on how to write secure code
  • Provide documentation on securing your site
  • Help the infrastructure team to keep the drupal.org infrastructure secure
• What doesn’t the security team do
  • projects without stable releases
  • Site support
  • Set policy around security with the security working group.
• Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
• How can others get involved?
• What was the recent bug that was fixed

Questions from Twitter

• Paulius Pazdrazdys
  How this latest security release is different from others? Do you have any information if this bug done any harm before release?
• aboros
  The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
• aboros
  Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
• Carie Fisher
  When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
• David Hernandez
  What is the average time from discovery to announcement?
• Damien McKenna
  @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
• Heine Deelstra
  How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
• Mark Conroy
  I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
• aboros
  Are there plans for some sort of bounty program run by DA maybe?
• David Hernandez
  What kind of work does the security team do besides review code? What is the administrative overhead?