Home / Taxonomy term

Security

Learning from hackers a week after the Drupal SQL Injection announcement

Since October 15th, hackers have been busy coming up with creative ways to exploit the SQL Injection in Drupal 7 sites revealed by SA-CORE-2014-005. A week has already passed, and attacks are still ongoing. In a previous post, Moshe Weitzman explained how we were able to protect our customers' sites the moment the vulnerability was announced.

Drupal-based Defense-in-depth Strategy Protects Data [August 28, 2014]

Submitted on
Thursday, August 28, 2014
,
Government Computer News

By Todd Akers

In medieval times, an intricate combination of towers, drawbridges, city walls, moats and harbors protected castles from all fronts. This intricate system provided an effective and layered defense from potential threats.

As the federal government seeks ways to contain and manage massive influxes of data, IT managers are taking pages out of the medieval defense rulebook by adopting “defense-in-depth” strategies that use complex, multi-layered approaches to information security. With defense-in-depth, federal IT managers use holistic strategies to analyze and identify potential threat vectors, including internal and external threats. In the process, they can secure their defenses as if they were leading the king’s protection forces.

Federal IT managers are practicing defense-in-depth while using open source software like Drupal for web development and content management. In fact, hundreds of federal sites – all of which demand a high level of security – are powered by Drupal.

Drupal offers a firm foundation for the strategy, specifically because it uses open source software that enjoys the support of a global community. This includes tens of thousands of users who regularly engage in peer reviews and vulnerability scanning, resulting in increased reliability and strengthening of core APIs and mitigation of common vulnerabilities. Further, the software is backed by a global team of some of the world’s leading web security experts who are always on-call and available to assess, evaluate and address issues.

READ MORE

Drupal 8, Semantic Web, Linked Data and Security: upcoming events

With the first beta version of Drupal 8 around the corner, now is a good time to get excited about Drupal 8’s new features and APIs. The feature I’m the most excited about is the integration of schema.org mappings into Drupal entities and fields, allowing search engines to better understand the content on your site.

Don’t wait, update your codebase now!

TL;DR: a security update for Drupal 7 and Drupal 6 was just released. All sites are affected and sites that are not updated immediately may experience Denial of Service (DoS) attacks leading to unexpected downtime.

Update: This vulnerability was covered on Mashable and one of the reporters published a detailed full disclosure of the vulnerability.

Drupal 8's new theming layer – Joël Pittet and Scott Reeves

Fixed! The version originally posted on August 5, 2014, got cut short by technical difficulties in production. Here are the complete audio and video versions of that conversation for you!

Drupal 8 theming layer co-maintainers Joël Pittet and Scott Reeves sat down with me at NYC Camp 2014 at United Nations Headquarters in New York City to talk about how Twig and the new theming layer in Drupal 8 empowers front- and back-end developers, convergence and contribution in PHP, and more.

Undefined

Deliver digital faster with Drupal – Part 2

In Deliver digital faster with Drupal Part 1, I showed you some of the many examples of successful sites built rapidly thanks to Drupal’s modularity. To stay ahead of your competition, you need to be nimble and agile; Drupal helps you do this with reusable, transferable digital experiences that can be customised to suit various niches even within a single business enterprise. All, of course, without paying additional license fees or mandated limits on developers, environments, or copies.

Rapidly Responding to Security Vulnerabilities

It’s an unfortunate fact of life on the web that security threats and vulnerabilities are exposed on a regular basis. We have to be ready for them at all times and at any cadence. Just two weeks ago, both the OpenSSL TLS MITM and Ubuntu Kernel vulnerabilities became public within hours of one another. At Acquia, our stance is that we’re ever vigilant and always ready for these situations.

Locking Down the Cloud: Countering Automated Attacks

At last year’s Cloud Security Alliance Congress, Philip Lieberman raised an issue that brought home to me why automation is now a must-have when it comes to security. Not just for cloud security, for all computer security.

Locking Down the Cloud: Dealing with Complexity

I love this illustration from a recent Netskope Cloud Report.

photo

The IT guy, standing in his dinghy, is estimating that he has 40-50 cloud apps running in his enterprise.

But check out that submerged iceberg: it’s more like 397! That’s nearly 10x the IT estimate.

Secure Acquia accounts with two-step verification and strong passwords

Today I’m proud to announce the general availability of three new authentication and access control security features for the Acquia Network. The following features will help ensure the security of your account and sites on Acquia Cloud by securing the sign-in process and enabling subscription-based access controls on the Acquia Network:

Pages