DrupalEasy Podcast 173 - Secret Bunker (Peter Wolanin, Cathy Theys - Drupal Security Team)

Cathy Theys (yesct) and Peter Wolanin (pwolanin) from the Drupal Security Team join Anna Kalata and Mike Anello to discuss the origins, evolution, and efforts of the team. Peter and Cathy discuss how to report potential security issues, how issues are handled within the team, and how they prioritize potential contributed module security issues. In addition, we discuss Drupal from the outside-in, Cathy's travel schedule, secret bunkers, the need for us to keep Peter busy in the Drupal community (seriously), Mike's slow loss of control, customers who contribute, and how Drupal might be related to the Panama Papers. As if that wasn't enough, we give Cathy control of the five questions - let the fun begin!


DrupalEasy News

##Four Stories


Picks of the Week

Upcoming Events

Follow us on Twitter

Cathy's Five Questions (answers only)

  1. Python library for reading shape files (pyshp).
  2. Retirement.
  3. Go back to DIY microbiology/genetic engineering.
  4. Chx asking him to do “something easy” for Drupal 6.
  5. Brian Osborne, working on CAS module (bkosborne).

Intro Music


Subscribe to our podcast on iTunes or Miro. Listen to our podcast on Stitcher.

If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.


Mike's question about the Security Team being "more reactive than proactive" is a great question and one of the biggest misconceptions about the Drupal Security Team.

The thing is, you don't need to be a member of the Drupal Security Team to do security work on Drupal - it's Open Source! In fact, it's the responsibility of the whole community to make sure that Drupal and all our contrib modules are secure.

Where the Drupal Security Team comes in, is we are responsible for making sure the correct process is followed when a security issue is found. This primarily concerns maintaining confidentiality until the fix is found, connecting the right people, and making sure everything is announced through the right channels in the right format.

If the Drupal Security Team were the only people responsible for actually doing the security work on Drupal, well, nothing would get done because we're an all volunteer group of about 30 people. That's not nearly enough people to take care of the security of such a massive eco-system of code (Drupal core and all contrib modules and themes with stable releases)!

So, to end in a kind of Smokey the Bear parody: "Only you can prevent security issues in Drupal (and the Drupal Security Team will help make sure the correct process is followed)" :-)

Submitted by David Snopek (not verified) on Thu, 04/21/2016 - 07:15

April 08, 2016