How Drupal Manages to Combine Openness and Security?

Drupal is one of the largest open source software projects in the world. Thousands of developers write code for it and develop websites or applications on it. The graphic below will help you understand the work of Drupal’s Security Team better.

Keeping Drupal Secure

Drupal has risen from the ranks in decade since its creation. It maintains the web presence of thousands of businesses, governmental institutions, universities and others around the whole world. Today writing code for Drupal is determined as writing code that could be used at any of those sites. Surely, Drupal code must correspond to the very precise requirements of banks, health-care institutions and governments, in spite of the fact, that it is developed either by a devoted hobbyist or by a fulltime professional. It is also important to be one step forward of those, who make attempts to break into such systems.

Security and open source bound together

Drupal’s security process doesn’t need to be accomplished fast and cautiously to further fix problem before they gain popularity or begin to be widely used. But still security and open source are well bound, yet someone who considers that “security by ambiguity” really works may be quite astonished. A good recipe for a collapse is concealing behind proprietary licensing or complied code and relying on the fact that no one will pay attention to security flaws. Opening your code to the community can ensue in greatly enhanced security, because everyone has the ability to find and fix a problem. Having thousands of developers in one community increases the benefits, i.e. if anyone fixes a bug, then you have got your bug fixed as well. Drupal’s codebase is thoroughly and systematically examined by various security experts from the world’s governments and other big companies. They assess Drupal’s secure for their mission-critical applications.

Proactive security awareness. Trying to prevent security issues.

Insecure code usually has defects from the very beginning. Yet, the best practices are available for the developers so that they could solve the majority of security issues at the very start. That is why Drupal Security Team continuously leads open-ended efforts to improve and help the Drupal community to keep from appearing security issues. They shepherd presentations and trainings, events and conferences to Drupal community, carry out webinars, provide free online documentation and encourage public group to take part in discussion Drupal security-related issues.

Drupal core and stable release modules. What is supported?

The Drupal Security Team helps in dealing with huge amount of security issues across the Drupal project and additional plug-in modules developed for it. In this list modules with “development” versions are not included; modules without a supported stable version thus cannot benefit from the Security Team’s management. So, if you’ve decided to use a module only with “development” or “beta” versions for a critical application, ask a module’s support to finish a stable, supported “x.0” version.

Drupal Security Team. All about it.

The Drupal project has announced the existence of its Security Team in 2005 and now and then rotates team leadership. Nowadays the improvement of new technologies gives way to detect issues that are indistinct and difficult to recognize, because code doesn’t commonly “unexpectedly become insecure”. A great amount of skills, knowledge and experience is directed to make Drupal as secure as possible. Today the Drupal Security Team is a grown-up, multifarious group, now including about 40 of the world’s leading web-security experts (none of them are robots, despite their skill and efficiency). They check and determine problems that arise “in the trenches”, they also work to increase security of the Drupal project. Members of the team are hard-working volunteers from different countries across 3 continents, involving those from Belgium, Canada, England, France, Germany, Hungary, Ireland, Japan and the Unites States. The team involves people from consultancies, Drupal service suppliers, government providers for cooperation, as well as non-profit, profit and educational organizations.

How do the Drupal Security Release process happen?

  • Uncovering vulnerability in code. You can find/meet bug hunters everywhere. Therefore everyone is capable of recognizing and reporting a security problem to the team, the team itself as well, but also module maintainers, the wide Drupal Community, security researches in Drupal and even you. If you’ve found a bug and want to inform about it, read and follow How to report a security issue on drupal.org.
  • Private reported issues to Security Team. Security issues should be dealt carefully and kept in secret. However there is one exception – when vulnerability needs advanced permissions or access to use, for instance, the ability to manage filters or users. In such cases, the Security Team asks module developers to repair these problems openly, because it’s not a danger as it is and in the future they strengthen the system when used.
  • Issue reviewed potential impact on all supported Drupal releases evaluated. It is available two main releases series (6.x, 7.x, etc) maintained 24/7. Please always run and update to the newest version of the series you are using.
  • When the threat is acute, Security Team is gathered for analysis. Maintainer informed.
  • Maintainer solves the problem. Security Team arranges support. Maintainers, testers and other interested individuals are allowed to access to the problem on a private, secure issue tracker so that they could work together on a solution.
  • Fixes examined and considered. Steps 4 through 6 are repeated until the Security Team and module supervisor are pleased with the result of a security issue, which caused questions.
  • Code patches built and tested. The new code is tested to ensure it doesn’t present any other security issues or ruin the module in question.
  • New, fixed versions ready accessible at Drupal.org
  • Security recommendations are spread via websites, newsletters, RSS, Twitter, social media, etc. Follow Drupal.org on various social media or sign up for Drupal RSS on Drupal.org.
  • New versions uploaded on all sites. Check the “Availiable updates” information on your Drupal site at admin/reports/updates in Drupal 6.x and 7.x to see if your Drupal core and installed module versions are the latest ones and download if necessary any new available version via active links. Please keep in mind that updates are not automated and need to be performed frequently to maintain you code up-to-date and thus your site as secure as possible.

QArea being the software outsourcing company that follows all the modern tendencies in IT world provides its specialists with such kind of tools that make their work being easier and more efficient.

Take a minute to look at our drupal development services.

QArea is software outsourcing company that delivers cutting edge IT solutions more than 12 years. At your disposal team of developers to power your project with high level of performance. QArea is ready to assist you in Mobile Application Development, Software Testing, Desktop Application Development and Web Development.

 

 

Request a Quote

* Please fill in fields with asterisk.

Request a Call

* Fields with asterisk are mandatory for filling.