And a relatively novel solution is Drop Guard, a rules-based third-party service that integrates with existing hosting and deployment tools to automated security updates. There are also consulting companies who can be hired to monitor the security releases for you and update your site. For example, some of the Drupal-focused hosting companies incorporate features into their hosting plans that make it very easy to test and deploy security releases. Some alternative solutions exist to achieve that goal in ways that might be more secure and reliable. We as a community continue to explore this. Updating Drupal code sometimes requires manual changes and that can not be done via automation. Of course, by automating security updates you add a different set of risks. It is something the community is talking about. Are there any plans for automated security updates in Drupal? Since Drupal 8 is not yet generally available, we don't include any security advisories for issues in Symfony just yet, but we will as soon as Drupal 8.0.0 is released. For example, we have a working relationship with the Symfony project's security team to fix issues in a coordinated manner. Drupal core), we work with the authors of the libraries to fix issues and coordinate releases. One thing that Drupal module maintainers can do is add a hook_requirements to check if the installed version of the external library is insecure and then show a message to the site admin letting them know to upgrade. First, our general policy is that third-party code should not be included directly into the repositories, so our advice since 2011 is that individual site owners should be aware of their own updates to third-party code. How do you manage security advisories from external libraries incorporated into Drupal? Prior to their DrupalCon 2015 talk, I caught up with Greg and Michael to discuss managing security advisories from external libraries, plans for automated security updates, code reviews, what to expect in Drupal 8, as well as, any advice they had for newcomers to Drupal. Greg Knaddison (left) and Michael Hess (right) Hess is a graduate of the University of Michigan School of Information with a master's degree in information. He also consults with BlueCross on large-scale medical research projects. He serves in a consulting and development role for many other university departments and is the current Drupal Security Team leader. Michael Hess works with the University of Michigan School of Information and the UM Medical Center teaching three courses on content management platforms and overseeing the functionality of hundreds of campus websites. He is currently the director of Engineering at and a Drupal Association advisory board member. Greg Knaddison has worked for big consulting firms, boutique software firms, startups, professional service firms, and former Drupal Security Team leader.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |