Threat

A month or so ago I wrote about the importance of patching your content management system and the advantage we believe exists with Open Source content management systems versus those offered by proprietary systems.

At the time of writing I had no idea of the relevance it had with an issue identified within the Drupal Content Management system. On the 15th October 2014 the Drupal security team released a security patch for a fairly serious vulnerability they had identified, details available here: https://www.drupal.org/SA-CORE-2014-005

The threat allowed a hacker to take control of Drupal website and potentially access content and utilise functionality that exists on the site for their own purposes.

The notification itself has caused considerable discussion within the Drupal community as not only did it alert webmasters, site administrator and developers to the need to patch, it also alerted would be hackers to the potential vulnerability. As a result there was a 7 hour window established within which a Drupal site had to be patched before it was fairly certain it had been hacked. For many this window was too short and as a result further remedial effort was required to ensure the integrity of the Drupal website.

At Koda we managed to patch all sites in our care within this window, unfortunately not everyone was able to do so.

Concerns

One of the chief concerns raised was that by sending the security notification it alerted hackers to the vulnerability, I don't believe there was any choice. The issue was found by the team, a patch developed and the communication sent. If they hadn't found it and notified us it could have been exploited by a hacker without us being aware. I believe the real issue the event has raised is the need to partner with a developer and hosting company that can proactively monitor the security patches released by the Drupal team and to ensure the sites in their care are regularly patched.

The Drupal security team have an alerting service available, you just need to register on the www.drupal.com website and subscribe to the security notifications.

kodaThis is a great example of the benefit of using an open source content management system for your website that has  large community of developers supporting it and a dedicated security team reviewing it 24x7. Drupal has a large dedicated team of contributors, we all work actively to ensure the platform remains as stable as possible.

I'm not sure how easily an issue such as this would have been identified and resolved on a proprietary content management system, where financially and logistically it is not viable to proactively review code within the application.

Summary

What it does reinforce however is that once your website is built there is still an ongoing requirement to proactively assess the state of the environment, apply updates as required, and definitely to apply security patches as they become available.

To find out more about the Koda support offering check out our Drupal support page, or contact us and a member of out team will be happy to discuss support options.

- Koda Web Design Auckland

 

Recent Insights

Keeping Websites Safe: Understanding Data Security
Exploring the Internet of Things (IoT): Making Everyday Things Smarter
Enhancing Web Accessibility in Aotearoa
Harnessing the Power of Artificial Intelligence in Design
The Evolution of Responsive Web Design in 2024
Progressive Web Apps vs. Native Apps
The Rise of Progressive Web Apps: Revolutionising the Mobile Experience
Security First: Keeping Your Apple and Android Apps Safe
EDIs and Portals - For Faster Processes
Business Catalyst - End of life Announcement

Share online

Popular Tags

General
Custom Design
Drupal
Open Source
Google hosting
Integration
eCommerce
Mobile Apps