Cathy Theys (yesct) and Peter Wolanin (pwolanin) from the Drupal Security Team join Anna Kalata and Mike Anello to discuss the origins, evolution, and efforts of the team. Peter and Cathy discuss how to report potential security issues, how issues are handled within the team, and how they prioritize potential contributed module security issues. In addition, we discuss Drupal from the outside-in, Cathy's travel schedule, secret bunkers, the need for us to keep Peter busy in the Drupal community (seriously), Mike's slow loss of control, customers who contribute, and how Drupal might be related to the Panama Papers. As if that wasn't enough, we give Cathy control of the five questions - let the fun begin!
- Drupal Security Team home.
- How to report a security issue.
- Drupal 8 Security Bounty Bug Program.
- Links related to ad-hoc pre-security team activity: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1921, http://www.securiteam.com/exploits/5BP0O20GBS.html, https://www.exploit-db.com/exploits/1078/, https://www.drupal.org/node/1341738.
- Best practice to block xml rpc in htaccess?.
- Current Security Team members.
- Join the Security Team.
- DrupalEasy and SixMileTech team up for Introduction to Drupal 8 Module Development at DrupalCon New Orleans.
- Top 10 contributing customers Drupal Association blog post by Joshua Mitchell. Information for organizations who want their people to start recording attribution.
- Examples of how to make Drupal outside-in - blog post by Dries Buytaert.
- Drupal 8.1 RC1 is available.
- DrupalCon New Orleans schedule is available.
Picks of the Week
- Cathy - Yes, Drupal 8 is slower than Drupal 7 - here's why blog post by Jeff Geerling.
- Mike - Group module for Drupal 8. See Mike's screencast demonstrating its use.
- Peter - From Encrypted Drives To Amazon's Cloud -- The Amazing Flight Of The Panama Papers.
- Anna - Counterpoint to Forbes pointing at Drupal: WordPress slider implicated Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause.
- Anna - State of Drupal 2016 Survey.
- DrupalDelphia - April 8, 2016.
- Drupal Camp Spain - Granada - Apr 22-24, 2016 - Cathy will be there.
- DrupalCon New Orleans - May 9-13, 2016 - Cathy is core conversation track chair, Peter's session.
- DrupalNorth Montreal - June 16-19, 2016 - Cathy will be keynoting.
Follow us on Twitter
Cathy's Five Questions (answers only)
- Python library for reading shape files (pyshp).
- Go back to DIY microbiology/genetic engineering.
- Chx asking him to do “something easy” for Drupal 6.
- Brian Osborne, working on CAS module (bkosborne).
- R.T.B.C. - from the DrupalCon Los Angeles pre-note performed by Larry Garfield.
If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.
Mike's question about the Security Team being "more reactive than proactive" is a great question and one of the biggest misconceptions about the Drupal Security Team.
The thing is, you don't need to be a member of the Drupal Security Team to do security work on Drupal - it's Open Source! In fact, it's the responsibility of the whole community to make sure that Drupal and all our contrib modules are secure.
Where the Drupal Security Team comes in, is we are responsible for making sure the correct process is followed when a security issue is found. This primarily concerns maintaining confidentiality until the fix is found, connecting the right people, and making sure everything is announced through the right channels in the right format.
If the Drupal Security Team were the only people responsible for actually doing the security work on Drupal, well, nothing would get done because we're an all volunteer group of about 30 people. That's not nearly enough people to take care of the security of such a massive eco-system of code (Drupal core and all contrib modules and themes with stable releases)!
So, to end in a kind of Smokey the Bear parody: "Only you can prevent security issues in Drupal (and the Drupal Security Team will help make sure the correct process is followed)" :-)