Click to see video transcript

Moderator: Today’s webinar is Setting the Record Straight: Drupal as an Enterprise Web Content Management System with speaker Dries Buytaert, who’s the creator of Drupal and also a co-founder and a CTO at Acquia.

Dries Buytaert: Yes. We'll be talking about Drupal as an Enterprise Web Content Management System. Before we jump into that, this is me. For those that don’t know me, I started the Drupal project about – gosh, like 14 years ago. I worked on Drupal in my spare time for seven years, and then after seven years decided to start Acquia - we'll talk a little bit about Acquia as well. I also co-founded the Drupal Association. I’m a techie by education and I love photography, and I do love chocolates. This is actually funny because it was magically added by our marketing team, but I do love chocolate croissants. Actually this weekend, I was officially endorsed by somebody that I know on LinkedIn as an expert on chocolates. If you haven’t endorsed me on chocolates, this will be the time to do it. If you want to follow me on Twitter, I am @dries.

Today, we'll be talking about these things here. First, I’m going to talk a little about Drupal and the market that Drupal plays in. Specifically, what our competitors are and how they compete with Drupal. Then I’m going to talk about some common myths about Drupal in the Enterprise, and then talk a little bit about Drupal 8 in the end, and how Drupal 8 will actually be more powerful and more successful combating some of these myths. Then we're going to leave some time for questions in the end as well, so feel free to send your questions in the chat, I believe.

First of all, what’s Drupal?

For those of you that are new to Drupal, Drupal is an open source platform that organizations use for building websites. It was born as a social tool, specifically as a message board. Over time, we've added other components to it like content and commerce, and so now what’s really compelling about Drupal for many organizations is that it’s a unified platform that’s really good at these three things. That allows organizations to build a very wide variety of websites on a single platform. It features easy and fun content doctoring. We have lots of integrations with other systems and platforms. We separate the presentation from the code, from the data. It makes it very easy to do certain things.

We're pretty well respected in the areas of globalization and localization. We're one of the best CMSs when it comes to providing multilingual websites and specifically with Drupal 8, multi-channel delivery is also going to one of our strong suits. On the community side, as I mentioned, Drupal was born social, so lots of social features there. Things like group collaboration and user-generated contents like commenting and polls and activity streams and things like that. More recently, we've been very focused on commerce as a community and so people are also starting to use Drupal to build commerce solutions. What’s great about having these three things integrated is that you can build great digital experiences all the way from attracting people to your website through community and social to delivering great content, and then really deeply integrating the commerce experience as well, which has proven to be very beneficial to drive transactions to your Drupal sites. That’s a little bit of what Drupal does. Obviously it does many, many more things but at a high level, I think that is a good summary.

The next question then is: Who does Drupal compete with?

We have a number of different competitors in the traditional web content management space. As Acquia, we see Drupal compete the most with Adobe Experience Manager in CQ5. But also with Sitecore, which is .net solution based in written .net. Then we also compete a lot with legacy vendors, the first CMS platforms out there – products like SDL Tridion, TeamSite from Autonomy or HP now, also, Oracle FatWire. These kinds of platforms. Then we also compete a lot – and it’s not on the slides, but we compete with a lot of do-it-yourself solutions. There are still a lot of organizations that build their own or digital agencies, web development companies that have built in-house CMSs. We see a lot of that, actually. On the socials sites, we compete primarily with Jive and Lithium in that space.

What do the analysts say about Drupal?

As Acquia, I’d say we started to build our analyst relationships I would say, really like two or three years ago, sort of upped our game. As a result, Drupal and/or Acquia has appeared in quite a variety of analyst reports. One of them is the Forrester Wave for Web Content Management that was published in 2013, so last year. Acquia is one of the younger vendors in this Wave, and according to Forrester, Acquia and Drupal are sort of in the top three when it comes to product selection increase in terms of what they see as analysts. The analysts create an overview of the space but they also work a lot with large enterprise organizations. These organizations are customers of Forrester as well and they solicit their feedback in terms of platform selection. That’s one.

The other one is from Gartner. It’s a Magic Quadrant from Gartner on Web Content Management. As you can see, Acquia and Drupal is actually positioned here as the best open source vendor. Then we have one more. This is another Forrester Wave on Social Depth Platforms. Drupal and Acquia do really well here, we're among the leaders in this graph.

One thing to keep in mind. I don't know how many analysts are on this call, but typically analysts take sort of a laggard view at the markets. Also, that’s just how it is, frankly. It takes a while. You need to have a certain size, a certain momentum for them to consider you. It’s also one thing that we struggle with as Acquia. They wouldn't consider Drupal on its own so that’s why often you see Acquia on there, which is the combination of Acquia and Drupal, which they do consider. As you can see, ever since we started our efforts building analyst relationships, Drupal has been gaining moment quickly with the analysts and we hope that will continue, obviously.

What are some of the common misconceptions about Drupal and what do we see in the market when we compete with proprietary vendors?

Obviously, there’s a lot FUD. For those who don’t know FUDs, it stands for fear, uncertainty, and doubt. We have great examples. Actually, just to kick it off here is one of them, some infographic from a digital agency. I’m not sure if you can actually read all the text but it’s a flowchart. Unless you are already absolutely in love with open source or are running a super simple website, all paths lead to commercial. You can see it on the right. All the arrows point to commercial solutions. Obviously, that is a little bit funny. If you know what the agency does, it primarily works with proprietary vendors. It actually doesn’t work with open source solutions at all, so no surprise there.

We see these kinds of a lot. We crated them. We sort of grouped them in five buckets, if you will, which is presented on this slide which we'll talk about in the rest of our presentation. Often Drupal is perceived as just for blogs or very simple websites. Others say Drupal isn't secure. Actually, it comes up quite a bit. “Drupal doesn’t scale and can't handle the world’s largest websites.” That is also one the things that is being mentioned often. Or, “Drupal requires tribal knowledge.” Fifth, “Drupal doesn’t work well with my marketing tools.” These are the five ones that we'll focus on.

The first one is; “Drupal is just for blogs and simple sites and not for global enterprises.” Here you see a copy of a white paper that Sitecore has on their website. I think you can still find it there. As you can read on the slide, they say things like, “We quickly discovered that Drupal's capabilities were a mile wide and an inch deep. The minute you go beyond exactly what open source can do out of the box, it gets very complex very quickly.” Suggesting that you can only do very simple things with Drupal, which needless to say is complete – beep – [Laughter].

We have a lot of great examples of how Drupal is being use by very large organizations. One of the best examples, actually, is GE. Obviously, one of the largest organizations in the world. They actually moved to Drupal from Autonomy TeamSite and from Vignette to Drupal. They have a couple hundred Drupal websites right now, I believe. They selected Drupal because it provided them way more flexibility and better velocity compared to TeamSites and Vignettes. It was very difficult for them to make changes, very slow process. Now, with Drupal, they can go much faster.

A great example of an organization standardizing on Drupal throughout the organization. Another one is NBC. They've been a Drupal user for some time now. If you know NBC, it’s actually a collection of different companies under the NBC umbrella. They’re actually standardizing on Drupal for all of their websites across all of their organizations, if you will. So all of the sports websites, all of the entertainment websites for their different shows and television channels, and even their news properties have moved or are in process of moving to Drupal. Pretty big website like nbcnews.com, websites like the Winter Olympic website. At some point, I think it was during the final hockey game – I’m not big on hockey – but I believe they were serving over 40 million pages an hour or 40 million users even, an hour. So, big websites, mission critical websites for these organizations that are sort of transferring their business to digital. These are not side projects. These are their main websites.

Warner Music is another great example. They have 300-plus websites on Drupal from David Bowie to Kid Rock to many other big artists. Needless to say, these are not simple websites, and managing 300 websites is not a simple task, either. So complexity in these two dimensions, if you will. With Drupal, it now became much, much easier to launch new artists and new brands which allowed them compete effectively in their space.

Drupal really is not just for small sites. In fact, over 50% of the top media and entertainment companies use Drupal. You can see some of the brands in here.

It’s very well established in government as well. We actually did some research and we found that over 130 nations across the world use Drupal. Both at the federal level, at the local state level, it’s everywhere basically. Not just in the US but also the European Commission, doing a lot of work with Drupal, so it’s pretty exciting in my mind.

Extremely well adopted by universities. Seven of the eight top universities are using Drupal, often with hundreds of sites. I was at Stanford not too long ago and I met with the CIOs of the eight schools that they have. Among the eight of them, they had over 2,000 or 3,000 on Drupal, so pretty impressive. That seems to be a pattern for many of the universities and they do all sorts of websites on them – departmental websites, classroom websites, lots of different sites.

Just a couple of other quick examples here. We see a lot of adoption. As of a few years ago within sort of the largest technology companies in the world. I mentioned GE already, but also Intel and Verizon, Red Hat and Alcatel-Lucent, building on very big Drupal sites. Some of these websites saved them millions of dollars actually. Again, great examples how Drupal is very successful in the enterprise with pretty complex implementations.

Emerging very rapidly is life sciences with organizations like Pfizer and Johnson&Johnson. Drupal now has 33% adoption within those, which is awesome. Financial services, same thing. Lots of large organizations like the New York Stock Exchange frankly, and Euronext in Europe. They have over 80 websites in Drupal, so very exciting. It doesn’t stop there. There are many other examples of Drupal.

If we actually look at some other data here, and this is data according to BuiltWith.com. It’s a website or a platform that tracks all the technologies that are being used on different websites online. So if you look at the top 100,000 sites, we see that Drupal runs about 3.5% of all the top 100,000 websites, according to Quantcast. That’s actually up from – as you can see, 2% in 2011. Tremendous growth in the enterprise and our two top proprietary competitors that we see, Adobe and Sitecore, as you can see, they’re run less than 0.50% or less than 1% combined even, and their growth seems to be more flat. It’s funny that these organizations try to compete with us and say Drupal doesn’t scale and Drupal is not ready for the enterprise or for big websites when, in fact, we run many, many more sites than they do. So that’s one.

The other one is: “Drupal isn't secure.” We hear that one actually quite a bit. Here’s another snippet from something that we read from Bridgeline Digital. You may not know them. I didn't know them, but they’re a small software as a service web content management company. They publish these anti-open source white paper just last week actually, so this very fresh. I’ll leave it up to you to read, but they're basically saying that open source platforms are very insecure and that’s a really bad idea to use open source. Which obviously, we don’t believe is true. We have real data and examples to back it up.

Here’s the example of We the People, which is part of the White House, so it’s sort of a sub site of whitehouse.gov. Needless to say – I don't know if you guys know on the call but there is like 34,000 websites in the government, of which there are about 10 that can never ever go down according to the government, and whitehouse.gov is one of them. This is one of the most business critical websites within the US government. For that website to use Drupal, obviously, is a great testament to open source and the security of Drupal and open source in general. It’s not even a small side project for them. We're talking about a petition website here that allows every citizen to the United States to create a petition and to sign a petition which is a fundamental right of citizens in the US. We're talking about the United States of America moving one of the core functions – it’s part of the First Amendment – from doing it through other systems to bringing that online and making that digital and making that accessible to all of the citizens of the United States. Key initiative using Drupal successfully. So to say that Drupal isn't secure or that open source is insecure seems a little bit farfetched.

In fact, here’s a quote from Forrester on Facebook to a customer. So Forrester wrote about this customer, “One interviewee from a global pharmaceutical organization believed that his open source web content management solutions were more secure than proprietary ones. And many also feel that the open code base is a particular advantage, as it allows organizations to explore potential security vulnerabilities.” This is exactly why open source is more secure. I can tell you that as Drupal project, we do take security very seriously. We have a security team, for example, which has more than 30 people on that team whose jobs and responsibilities to help make Drupal the most secure content management system.

Not just that, we also have a culture of peer review when we are developing the software. In proprietary companies, when one of the engineers makes a change, that person is most likely to just commit the change to the next version of the platform. In best case scenarios, there is one other person in the organization doing a code review. But in most software organizations, that’s actually not the case. Whereas, in Drupal, for somebody to make a change to Drupal Core, especially complex changes, some of these changes are being reviewed by 20 people or 10 people. But in every single case, every patch or change is reviewed by at least one other person. In most instances, actually by multiple people. We really use best practices in software development to help keep Drupal secure.

The other thing we do is when we do find a security bug in Drupal we're actually open about versus most propriety software vendors, they will just not mention that all. Group that under numerous buck fixes or things like that. I think that culture of transparency is actually very health versus just not being transparent, I guess. That is actually recognized. Here’s a quote from the CIO of the DOD, the Department of Defense in the United States. He says, “Continuous and broad peer review” – like I had just explained – “enabled by publicly available source code, supports our software reliability and security efforts.” That’s exactly what I just said.

The other thing that I’ll add is not just the contributors that are building Drupal that review the source code but it’s also – for example, before the Department of Defense decides to employ Drupal, I bet you they do security audits. Before another government somewhere else in the world decides to adopt Drupal in a significant way, I bet you, they do a security audit, too. Drupal has literally been security audited by expert organizations multiple times because of the scale and the adoption that we have, which the proprietary competitors don’t necessarily have.

In general, I feel like you should feel pretty good about security in open source in Drupal. That doesn’t mean there’s never going to be a security issue, but when there is, we actually handle it really well in a transparent way that enables everyone to act very quickly.

Moving on, the third myth is: “Open source won't scale to handle the world’s largest websites.”

There’s another example from Sitecore, a white paper called, “The Siren Song of Open Source CMS.” I highly recommend you download it if you need a good laugh. They basically say exactly that – open source doesn’t scale. Of course, there’s so much proof of that not being true. Open source is, in today’s world, inspiring technology in the enterprise. Not just in the level of CMSs but operating systems with Linux, databases with NoSQL and MySQL, Big Data place Hadoop, and also digital experiences like Drupal. I think open source has shown that it creates very large platform winners that leaves proprietary alternatives. I believe that’s exactly what’s happening with Drupal today.

Needless to say, we have a lot of examples here. Here’s the website of the Grammy’s which has been using Drupal for at least three years right now, in a row. The last grammy.com or Grammy Awards show, which was a few months ago, they actually had 460 million hits one night. Needless to say, Drupal does scale.

Here’s another example. This is the MTA. During Hurricane Sandy, the MTA website, built in Drupal, was the only website that stayed up for people looking for traffic information on how to get home, these kinds of things. We served 5.1 million customers in the New York area during that hurricane and had 30k comparing visitors to the platform. So sometimes, people say, well, it’s easy to build a website and do lots and lots of pages because you cache them all. But I think both grammy.com – it’s an example where they had updates to the website every minute. It wasn’t like all static website. Certainly, mta.info, there’s a lot of dynamic parts to the site. Limited cacheability there.

Another great example, is weather.com. They’re in the process of moving from Percussion, which is a legacy CMS, to Drupal. Very exciting to me because they are one of the largest websites in the world. Everybody checks the weather and everybody goes to weather.com for that. Also the data feeds that they send out to many of the apps and things like that, it’s all going to be covered by Drupal in the end. Top 25 website in the world moving to Drupal, I think is a huge testament to our scalability.

The next one. Now we're talking about the fact that; “Open source requires tribal knowledge.”

Again, the Sitecore white paper. They’re saying things like, “Open source isn't well supported by a community of developers.” And they say, “Developers can an excellent resource for enhancements and bug fixes, but when they’re actually going live with your website, they may not have any accountability to you. They’re not willing to help you.” These kinds of things. The reality, of course, is that the Drupal community is large and there's lot of people in the community and many of who are willing to help you.

Here are some quick stats actually. Drupal is one of the largest open source platforms in the world, especially if you measure it in terms of number of people that are part of our community that are contributing. You may not have the same install as Linux but we do have an incredible amount of people that are active in the development of Drupal. Over 28,000 developers a year actually make changes to Drupal and they’re all around the world 24/7 making Drupal better.

It’s funny that proprietary CMS vendors call us out on that because – I don't have the details here, but I don't know how many developers Sitecore has. If they have 100, I think that’s probably going to be a pretty good guess. Maybe they have only 50. Maybe they have 200. Maybe they even have 500 which they definitely don’t have. It’s still small numbers compared to Drupal where we have 28,000. Where are these experts on Sitecore, for example? It’s really funny that they call us out that way because it’s not unlike Drupal where – except we have many, many more people.

For those people that do have concerns about support of open source – and that’s exactly why I created Acquia frankly, to help provide commercial great support to these large organizations. But also, we have a large ecosystem of other companies that can help build your Drupal sites and do these kinds of things. Our ecosystem is definitely much larger than that of our proprietary competitors.

Forrester, again, wrote, “As one Forrester customer told us, ‘We had some concerns about support with open source, but we felt like a commercial company like Acquia could make up for that and give us the support we need.’” What that really means is that the combination of a company like Acquia combined with open source brings together the best of both worlds. You get all the advantages of what the proprietary enterprise software vendors will sell you like support, certain guarantees around up time and all of these things, but you get that combined with then innovation that’s coming out of open source. Like the innovations coming from these 20,000 and more developers around the world. It allows you to build really robust websites but also to innovate much faster than your competitors using proprietary software. That’s exactly why Drupal is being adopted that often.

All right, so our last myth here is: “Drupal is more expensive.”

Which is funny. They often make comparisons with “free puppies” and there’s some truth to that. Open source isn’t entirely free. There is no license fee, but there’s definitely other costs to using and running software. So let’s look into some of these costs. Here’s actually a quote that was sent to us by somebody that was looking at Adobe. Adobe, in their sales pitch, made the comparison between using their stuff and Drupal. As you can see, according to Adobe, to build these particular websites with Adobe, you needed about $1 million but to do it in Drupal, you need about $2.5 million, so 2.5x more expensive. They say it’s more expensive because Drupal lacks space functionality and they gave some amazing examples like, “We like the ability to have dynamic contents or mobile or multi-site management.” Obviously, these are all things which have baked into Drupal actually for over 10 years. They are just lying about Drupal to try and win deals.

Here is another example from Sitecore, and it’s funny to see how they pitch about what they do. They say, “Well, there is no license cost in Drupal but,” and this is the first lie, they say, “The license cost is only about 5% of the total implementation cost.” Which usually it’s much more than 5%, but then they say, “Even though there’s no license cost in Drupal, the actual implementation cost is so much bigger that the license cost doesn’t matter.” They wrote, “Reducing that 5% with savings on an open source CMS can drive up the other costs significantly, usually resulting in higher total expenses.” That’s complete bullshit as well.

In fact, let’s get some numbers here of how Sitecore or Adobe compare with Drupal. The first table is Sitecore or Adobe. These are numbers we made up based on what we see in the field. Let’s say the license fee is $200,000.00, which often is much more. Then there’s implementation services, by $200,000.00, and then the proprietary vendors always add on like maintenance and hosting so let’s say that’s $40,000.00 each for a total of $480,000.00 in Year 1. Of course in Year 2 and 3, the license fee disappears but you still need to pay for some implementation services and you have to keep doing maintenance and hosting, and so for this particular example, it’s going be about $680.000.00 for three years.

Now, in Drupal, there is no license fee, so that comes zero for all three years, but there are still some implementation services. Somebody still has to help build your websites. In the case of Drupal, it’s typically going to be about $150,000.00 because the fact that there’s so many contributed modules out there, over 20,000 modules, so a lot of the features and the functionality that you need or want for your websites are there as starting points or they’re there and they can just be used. Typically, what we see is that the implementation costs are lower because of the vast amounts of functionality available in the open source projects. Then maintenance and hosting in our case, it’s bundled in what we call Acquia Clouds and so typical price points there are $60,000.00 a year. If you combine everything, you can see that the total over three years is significantly lower than the proprietary vendors.

We'll quote you, and in fact I believe the average deal size for Adobe is – I thought it was $1.4 million. They’re definitely not that cheap and we’ve seen that a lot with our customers and Drupal users. For example, the State of Georgia, they have a 10-year-old proprietary platform that they decided to move to Drupal and in doing so they actually projected that they’ll save almost $5 million over five years for about 55 websites that they have on Vignette. These numbers are real. We have the people responsible for that project to back that up with real quotes. We see that over and over again, that not only is it cheaper to move to Drupal but it actually increases their velocity as well so they can do more with less money.

Which is what a lot of people have to do, frankly, because most organizations spend to more and more websites. They go from having one or two websites 10 years ago to having to manage dozens or hundreds or, in some cases, thousands of websites. At the same time, each of those individual websites have also become more complex like we went from having static contents to dynamic contents to pretty complex websites with integrations and CMS systems and CDN systems and marketing automation tools. There are these two forces. Force one is more and more websites, and force two is the web that’s accelerating and the complexity of the websites to increase as well. Yet at the same time, the budgets haven’t sort of followed that trend. Many, many organizations find themselves in a situation where their challenged having to do all the things they need to do. So open source has been a life saver for many, enabling them to do more with less.

There’s some bonus, extra myths here. Some people say, “Drupal doesn’t have a roadmap.” Other people say, “Drupal doesn’t have an upgrade path.” These things aren’t entirely true. It’s true we developed our software differently than proprietary software, but we do have a vision and a roadmap. The way we organized that for Drupal 8, for example, is we have eight or nine initiatives like examples being, configuration management when mobile or authoring experience. We set out these big themes, if you will, and that’s effectively our roadmap.

Same thing with an upgrade path, Drupal does provide an upgrade path from one version to another. Of course, if you have custom modules, it’s not going to automatically upgrade because we do break backwards compatibility. We break backwards compatibility because we believe it’s more important to innovate and to make sure Drupal stays modern than it is to provide 100% backward compatibility. But once we make a release, that release is frozen and we will support that for many years. There’s a stable platform with security fixes and bug fixes. Basically, there’s a lot of stuff being used to try and debunk the success of open source and Drupal.

With Drupal 8 around the corner, I think once Drupal 8 is released we’ll be an even better, stronger project. We’ve been doing a lot of work around authoring experience, making it easier and better for either one author or a team of authors to publish content online by doing things like integrating WYSIWYG and adding in-place editing. These kinds of features really make it better and faster for content managers. I’m very proud that we were able to make that a main focus of Drupal 8.

Obviously mobile was a big initiative, and I did my State of Drupal keynote four or five years ago. I said, “If I were to start building Drupal today, I would build it for mobile first and desktop second.” That’s not exactly what we did, but in a way, that is what we did. So for the last four years or three years, we have re-factored every aspect of Drupal pretty much to be mobile-friendly. All the way from making sure Drupal is responsive. Not just basic responsive features but also things like responsive tables where certain columns disappear depending on screen size, responsive toolbar to make sure that the navigation works. We’ve also been working on a mobile preview feature so if you are authoring content, you can quickly preview how that looks on mobile devices. But also in the backend. Mobile is not just building mobile websites to be viewed in a mobile browser, but also native apps like iOS apps or Android apps. Everything in Drupal is also exportable through a RESTful API and that will actually enable organizations or people to build mobile apps very easily on Drupal. All of that is out-of-the-box functionality with Drupal, so it’s pretty exciting.

Multilingual has been a key initiative. I think there was a question about that and I’ll address questions in a minute here but to build a multilingual website in Drupal 7, well, it’s entirely possible but it took like 20 contributed modules or something. All of these or almost all of these modules have been moved into Drupal core, the base platform and then updated and extended even with more features and functionality and lots of usability improvements as well.

Multilingual and globalization support, we’ve made massive improvements massive improvements there in Drupal 8. As I mentioned, we’ve really adopted RESTful APIs into Drupal. In Drupal, every piece of content, whether it s an article or a discussion or a comment even on an article or a user in a user profile, all of these things as well as new things to define in Drupal using our entity system automatically become RESTful enabled. Each of these pieces T and so that’s not only good for building native apps as I mentioned but it’s also really useful to integrate Drupal with other systems.

On the right of this slide, you see the marketing technology landscapes. This is a collection of tools. Some of the tools the marketers can choose from to build their marketing steps I guess. There are literally hundreds of tools that need to be integrated with their content management system. Our proprietary competitors focus on a handful of these like the big players, like Salesforce or Marketo, but often, smaller or more specialized tools are forgotten and a lot of these simply cannot be integrated because the proprietary vendors don’t have flexible APIs or they simply don’t have the right API, whereas they can be integrated with Drupal because everybody can make changes to Drupal. We’re pretty excited about building more of these integrations and letting marketers use the tools that they want to use versus having to use the tools that happen to integrate. We’re very excited about Drupal.

Then just to wrap it up before the questions, a couple of slides about Acquia. We see ourselves as the digital business company. That’s not how we were born so to speak. Initially, we were all about being a company that provided commercial-grade support for Drupal, which is still our focus but more and more we’ve been working with large customers and we’ve been helping to define their digital business strategy and we’ve been helping them with that transformation of becoming digital businesses. We’ve been very focused on empowering companies to deliver great digital experiences that integrate content community commerce, all using Drupal.

We have done quite well so far as a company. We’re more than 440 people and have been recognized as a very fast growing private company. Most recently, Deloitte recognized us the second fastest growing technology company in the United States and we have customers in all of these verticals that you see. To do what we do to provide that support with the digital transformation that organizations go through, we use this kind of mental model where all of that is built on Drupal, it’s our platform layer if you will, that people use to build dozens of websites or hundreds of websites. On top of what, we have some proprietary software as a service which we call the Digital Engagement Services. Things like Acquia Lift which provides personalization and targeting, but also Acquia Search and Mollom that basically allow organizations to better engage with their visitors and drive them to a transaction, either an eCommerce transaction of some other transaction.

At the bottom, we have Continuous Delivery Cloud called Acquia Cloud, but also Acquia Site Factory and basically that is our platform that we use to host websites, but also to provide lots of tools to help to continue innovation, testing, and these kinds of things.

Our model as a company is sort of a sandwich model if you will where Drupal sits in the middle and then at the bottom and the top, the buns if you will of the sandwich or the hamburger are paying services that customers pays for. As such, it’s complete solution for organizations that want to build a digital business.

All right, so let’s wrap it up here. Of course, I think most of you have about this famous saying from Gandhi, he said, “First they ignore you, then they laugh at you, then they fight you, and then you win.” I think this couldn’t be more true for Drupal and open source. We were completely ignored for the first 10 years, almost or less but people are clearly laughing at us as you could see from some of the screenshots and they’re clearly fighting us with FUD but we’re also clearly winning. If you look at the numbers, I think the numbers speak for themselves and that’s pretty exciting.

I think in a way, open source has already changed the industry like if you think about the traditional web content management systems that were born in ’96 and things like Vignette and Interwoven. While they’re still around, I think they have been replaced to open source alternatives, not just Drupal but other solutions as well, WordPress and TYPO and Joomla. A lot of people have migrated to these and I think what they’ve done is because they were pushed out, they kind of redefined themselves as a marketing cloud tools which is CMS tools plus additional services, additional things. I think we have an opportunity to basically also go after them and replace the Adobes and Sitecores and the Oracles of the world.

I’m personally very passionate about that because systems like Adobe, they are extremely expensive, costs millions of dollars, and this transformation of companies figuring out how to do business on the web is so important to our world that we can’t have these tools only be accessible to a few that can pay millions of dollars. I think we really have an opportunity to bring these capabilities, the right way to do business online, to the masses and sort of do well for the web and make sure that the web is on good shape. I’m very excited about Drupal going after this and I hope you guys are, too.

If you want to read a little bit more about some of the things I spoke about, in the webinar there’s some links. You can see the links on the screen and will also be shared later but definitely feel free to check out these things a little bit more. Which I think brings us to the Q&A session.

Moderator: Yes, great. Thank you so much Dries. If anybody has any question, could you please ask them now in the Q&A tab? We have a couple come in during the presentation and the first is, “What is the difference between Acquia and Drupal?” Some people just wanted some clarification on that.

Dries Buytaert: Yes, sure. I mean, I think I spoke about that just a few slides ago, but Drupal is open source software that people use to build websites and Acquia is a company that helps organizations to use Drupal effectively. I guess I’ll leave it at that. Just check acquia.com, I would say, for more details. Other questions?

Moderator: Yes. The next one is: Can you compare WordPress to Drupal?

Dries Buytaert: Sure. WordPress is an open source CMS or blogging platform. It is very widely adopted. It’s actually more adopted than Drupal and it’s typically used for less complex websites. I purposely say less complex because some of the WordPress websites have a lot of traffic but they’re typically a lot less complex. They don’t usually have deep integrated social platforms and these kinds of things. So because WordPress is open source, they're sort of part of the family and WordPress’ success is great for Drupal and vice versa. I think Drupal’s success also validates WordPress and the open source model.

Certainly, we see a lot of people use WordPress but it’s typically more in the low end of the spectrum. In our situation, Acquia, where we’re focused on larger customers. We don’t usually run into WordPress too often. It’s not one of our main competitors. We don’t see them in the majority of our deals, but sometimes we do and we can either coexist with WordPress. Sometimes people run into the limitations of WordPress and they want to move to Drupal.

Obviously, a great software. I’m personally also great friends with Matt Mullenweg, which is a project lead at Drupal. We get together and share notes. I think one last thing I’ll say is that maybe five years ago, people would also sort of say, “What will I use, Drupal or WordPress?” But I think both of our projects, we’ve found our spots. I think Drupal is clearly dominating in the enterprise section of the market and WordPress is clearly dominating the low end of that market. I think I get a lot less questions about, “What do I use, Drupal or WordPress?” That’s a good evolution.

Moderator: The next question is, “We’re interested in implementing a create, watch, publish everywhere model. Can Drupal help us accomplish that?”

Dries Buytaert: Yes, it can actually. Drupal allows you to enter contents and then publish it in multiple channels. The default in Drupal 7 is HTML, but through the web services support, they can also go through other systems. Then there are also ready-to-go integrations; that’s Twitter integration, Facebook integration, integration with other social media tools which are also channels. So when you publish something in Drupal, that can automatically get pushed out to Facebook and Twitter, to drive people to your website. That works really well actually in Drupal 7 and will even be better in Drupal 8, because we’ve made substantial improvements to, as I mentioned, the web services support but also our content modeling tools. I think it’s actually one of the reasons people adopt Drupal compared to other solutions.

Moderator: I think we’re running out of time so anybody’s questions that don’t get answered, we’ll definitely follow up and get them answered for you. For the last question, we just want to ask, “Can you expand on your cloud offering? Is it just SAAS based or also infrastructure platform as a service? Are they hosted supported? Example, 24/7 uptime, etcetera.”

Dries Buytaert: Yes, so we have a product called Acquia Clouds. It’s all built on Amazon Web Services, AWS, and we have it in different flavors, so to speak. One flavor is our platform as a service offering. In that case, you can upload your sites, your Drupal codes to our servers and we provide you all sorts of tools around that, like GIF support and GIF repositories. We will automatically provision you one or more staging environments, depending on how many you need. A development environment, a staging environment and a production environment. There’s tools to make it very easy for you to push code from one to the other, but also files. It’s really built around optimizing the developer experience of the Drupal developer.

Many organizations have to set these things up, so if you use a traditional hosting provider you have to go and build all of these things, which can take months of work really, to build the developer tools. With Acquia Cloud, you get these out-of-the-box, and you’re ready to get going from day one but then once your site is in production, there’s also a lot of tools in there. We can dynamically scale your site when there’s a traffic peak so your best day isn’t your worst day, so to speak. All of that is through platform as a service, so developers can make changes to the site and extend Drupal every way possible that they can imagine.

Then we also have software as a service flavors. We have a product called Site Factory which effectively allows you to run your own software as a service platform, so it’s optimized for multisite case studies. Say you need to bang out campaign websites or if you are a pharmaceutical company, you have to manage recall websites or something of which many exist. Site Factory allows you to do that in sort of a software as a service model. I believe we have webinars in each of those things, so I encourage you to check those out if you need more details but it is state-of-the-art Drupal platform really for not just hosting it and running it on a daily basis, but also developing it and creating your Drupal sites.

Moderator: Thank you so much, Dries. For anyone that didn’t have their question answered, we’ll get it answered for you. I want to say a big thank you for all of you for attending and a big thank you for Dries. Slides and recording will be posted to our website in the next 24 hours and we’ll also email you out a copy. Thanks, everyone, for showing up today.

- End of Recording -

Click to see video transcript

Hannah Corey: Today’s webinar is Accomplishing Your Marketing Goals with Drupal 8. We’re really excited for this webinar, and we want to thank Appnovation for co-hosting it with us. The presenters today are Jonathan Whang who’s the Lead Developer at Appnovation and Kris Vanderwater who’s a Developer Evangelist here at Acquia. We’re really excited for both of them to take time out of their day today.

Jonathan Whang: Okay. Hi everybody. My name is Jonathan Whang, and I’m a Lead Developer with Appnovation Technologies. Appnovation is one of the world’s leading open source development shops with over 150 clients and having delivered nearly 400 projects since our inception. We have six offices in total and each location and the headquarters are in Vancouver BC, with our US operations run out of Atlanta and our EMEA operations run from London, UK. Through these offices, we have been able to serve companies around the world. Some of the technologies we use and solutions we provide include Drupal, Alfresco, SproutCore, HTML5, Mobile Apps, MuleSoft, Jaspersoft, MongoDB, Hadoop, and various e-commerce solutions. Some of our more notable clients include the NBC Universal, Intel, Pfizer, the NBA, Google, Fox News, American Express, Reebok, Samsung and also the US Department of Defense. We have a very strong partner relationship, and Appnovation is the only company in the world that is both an Enterprise Select Acquia partner, MuleSoft partner and a Platinum Alfresco partner. Just to give you guys an outline of what we will be discussing today, we will be talking about how Drupal 8 is different from Drupal 7, and how these will help achieve your marketing goals. So, the three main points we are going to discuss today are Web Services in Core, and What You See Is What You Get Editor in Core, and some New Functionality. With that I’m going to pass you over to Kris, and he’s going to talk about the Web Services in Core.

Kris Vanderwater: Thanks. Very quickly, I’ll just tell you a little bit about myself so you know who’s talking to you. I’m Kris Vanderwater. I am Acquia’s new Developer Evangelist. I was actually one of the initiative owners for Drupal 8 and have worked very heavily in blocks and lay ups and a number of other areas in Drupal 8. Just to help push things forward there, you can’t do much in Drupal Core without putting your hands dirty everywhere. I’ve done quite a bit of web services work during my time at various other companies that I’ve worked for and with that I’m just going to take you through some of the things that you’re likely to see from a web services perspective in Drupal 8.

First, I just wanted to talk for a minute about some of the problems that Drupal 8 is trying to address. During his Keynote at DrupalCon Portland, Dries presented a slide that indicated that 70% of respondents in a large survey told that providing an optimal experience across all screen sizes and devices was a source of major, major difficulty. Of those survey, only 11% of their organization had actually embraced a “mobile first” solution, and 33% of those wants the “responsive design” features in their CMS immediately. This is of course very relevant to marketing. A large number of devices and screen sizes means that catering to your site to everyone is harder than ever and your message could be lost simply because of the device only shows with you and your site. Now, a good responsive design solution that embrace the version include the differences in devices and allow you to communicate more clearly based upon the device that someone’s using. Drupal 8 is actually taking great strides toward this goal. It’s prioritized the need for the Drupal browsing in a number of different way, including a dedication to a mobile first browsing solution. Today we’ll be giving you a peek into how the solution that reference these issues beyond just its mobile first focus, and so that would be booked into web services. Web services is normally a dry topic, but I’m going to quickly give you upfront foundations about what we’re going to talk about here. Out of the Drupal 7, web services have been available to us for quite some time. This is especially helpful when we consider any interaction with a third-party system, such as another website or a native mobile application. Leveraging web services is really the go-to solution for this problem space. Scripturally in Drupal 7, there were a number of problems with this. Primarily the most major problem was the Drupal 7’s route handling wasn’t built with this in mind. This is a technical way to say that D8 modules have to spend an awful lot of time and effort hacking around what Drupal was trying to provide by people. So, they created a number of different solutions that would basically work but the best practice is that the world at large is following weren’t necessarily being followed in Drupal 7. To this end, most common solution in Drupal 7 was actually to leverage the services module, and now Services is really great module but it has a couple of drawbacks, and primarily in a [audio gap] developers needed to create any sort of custom, what we call entities or data storage mechanism. They would have to create an awful lot of additional codes just to do any communication with a third-party app or another website. This of course meant more work for your developers over a longer period of time and likely would result in ongoing troubleshooting as well. In an effort to remedy this, many attempts were made in Drupal 7 to do entity generic services. This ultimately emerged as a really powerful pattern, but it took a long time for Drupal 7’s cycle to probably establish this pattern.

Now moving forward to Drupal 8, it’s embraced this approach that was ultimately achieved in Drupal 7 since day one. Another two different types of speed and we’re only going to really talk about one of them here. It’s what we referred to generically as consent entities. Is there anything that you can add a field to? If you’ve ever actually worked with Drupal 8 and seen nodes you can add additional fields to, you have an idea of what it is that I’m talking about here. This could be things like nodes or users, comments. If you’ve ever worked with Drupal Commerce, maybe products, line items, orders, all those sorts of things that you really are the very powerful Core of Drupal. These entities come out of the box. can be activated per entity and for those of you who are not familiar with this approach, this is really just a general way for you to communicate externally about this data. Very, very powerful, again, for any sort of third-party application and useful for maybe the iPhone or an Android phone, something along those lines.

To this end, Drupal’s invested very heavily in various types of data serialization. Now, this is a really technical topic, and I’m not going to talk about it. Suffices to say that your developers will really appreciate the effort that got into this because it means that your data can be passed around and the format that will work per situation. What we like to call “CRUD” within the industry, which stands for Create, Read, Update or Delete is also a basic part of the entity services that have gone into Drupal 8. This will give your developers a really robust framework from which to begin working. That’s going to dramatically reduce the amount of troubleshooting that they’re probably going to need to do for custom entity types and allow them to really focus in on building an API that works for your specific use case. When we begin talking about building a third-party solution in a native application, focusing in on what the API should really look like is really where your developers should be spending their time, and it’s ultimately what’s trying to give your application the best foot forward and be able to communicate with your target market more quickly, more accurately and more relevant. So with that, we’re going to be talking a little bit about – I guess I actually covered this slide. [Laughter] In short, it’s just going to make your life a whole lot easier in terms of really getting your product out there and communicating with your audience. With that, I’m actually going to hand it back over to Jonathan.

Jonathan Whang: All right. Thanks, Kris. Now, what I’m going to talk about is the functionality which we refer to as “WYSIWYG” or What You See Is What You Get and how that is now packaged in Drupal 8 Core. Just in case we’re trying to stay away from being too technical on this webinar. The What You See Is What You Get is just the editor for large text areas that allow content administrators or site users who have access to create content. They have the ability to upload images and post hyperlinks and big snippets of text and do formatting with the text area to have it show up the way they would prefer it to show up when they’re looking at HTML. That’s why the term “What You See Is What You Get” was coined. What we are used to within the Drupal 7 world is after the latter stages of Drupal 7, there has been a consolidated WYSIWYG contributed module that was developed. The module itself served as the backbone for WYSIWYG implementation, and it could support all the other plugins that allow users to select from different flavors of the actual editor and some of these plugins are CKEditor, FCKeditor, jWYSIWYG, NicEdit, TinyMCE, YUI Editor and if this doesn’t really sound familiar to you, then it’s likely because some of these plugins aren’t very popular because they don’t work very well. Actually, CKEditor had gone on and produced their own standalone module that some sites would use where they don’t like the flexibility of the actual global WYSIWYG module. Some of the benefits of this is - it is highly configurable. So, each editor can have its own settings and you can choose what buttons would show up. If you refer to the slide and the area that is encased in the red border is the sample of what the tool bar would like customized. So, you could pick what kind of button shows up there. Think of it as like a Microsoft Word toolbar, which gives you things like bullet points and lists. Also, each text format that you would create – so text formats are customizable within Drupal. If you create that, then they can have their own editor. So, different fields would look different based on configurations of a site. This is what it is in Drupal 7 and if you guys have used Drupal 7 sites, then you would know how it works.

Some small issues with the current implementation: downloading the module, getting the editor plugin library setup with all the correct files and the latest versions and configuring all of the settings that each plugin needs takes time. Each plugin also has settings along with - the text format also has settings. A drawback to being super configurable is it also takes time to actually get up and running because once you put in the plugin and the module, it comes with bare-boned settings. It assumes that it starts off empty and you’ll have to configure it with the things that you want. Another problem we found is throughout usage of the WSYIWYG module for all the sites that we’ve been delivering is certain pieces of the WYSIWYG are inconsistent. Of course, it comes out looking like a paragraph with line breaks and bullet points and bold here and there when you’re configuring it within the text editor, but the moment you save the node and look at it on the node view page, it starts looking funny. Most of the time, it’s because the WYSIWYG was misconfigured but again, some of it also attributes to the incompatibility between the plugin and the actual core module.

Also, image upload has been inconsistent. At the beginning of Drupal 7 from what I remember was that not all of the plugins would support very clean image uploading. I believe now the CKEditor does it, but doesn’t really do it very well and you don’t have much control over where the image goes and if it’s right aligned, it doesn’t show up as right aligned after the node is saved. These are some of the issues that we would run into, especially if you are a builder of Drupal sites. With Drupal 8, now they decided that the page – because pretty much every site has a page node and we’d like to ship the WYSIWYG within the core distribution. So, they decided because I believe CKEditor was the one that was more flushed out and stable that they decided to put the CKEditor plugin directly into Core. So, it is pre-configured with four text formats, and the way that it’s set up is actually easier to understand than in Drupal 7. They have updated the interface for configuring the editor toolbar. It looks really slick and image upload support has been basically finalized, and it’s really stable even at this stage of Drupal 8. That is the WYSIWYG and Core. That’s the change that they made.

What does this mean for marketers really? The number one users for the WYSIWYG portion of a site end up being the end client, and so non-technical staff will find it easier to use with the current WYSIWYG implementation in Drupal 8. You’ll get less calls to the IT department saying, “How come this paragraph doesn’t look the way I want it to?” It does save time on site development and having site builders have to choose between different WYSIWYGs providers and they might not have experience with other plugins, but if the client sees that and they prefer that then the site developer might have a hard time with configuring the preference of the client. The unified WYSIWYG interface would mean that everyone basically is forced to use the standard. It does work right out of the box so there really isn’t much reason to switch to other plugins, which is still yet to be seen if other plugins will adopt a Drupal 8 support. If it’s consistent output for right when the site gets set up like you could set up Drupal 8 and right out of the box just have a plain page node and start like a simple blog site, then the WYSIWYG configuration works right out of the box without having to configure anything. We will have a demo at the tail end of this presentation to show you how the current WYSIWYG editor works.

Onto the new functionality that we chose to discuss for this webinar that we feel applies most to the marketing side of things. The new functionality for Drupal 8 is the in-line field editing. What this does is it gives users the ability to edit nodes directly on the view page. What that means is when you’re looking at an article and if you have permissions to make edits to content and also, you can configure this in the back end of Drupal. You can actually go in and without having to go to the edit form, you would be able to in-line edit the text and the field values right from the node view page. It has the access restriction configuration out of the box, so if you guys have dealt with configuring that huge permissions screen or form, there is already setting there to allow you to setup which roles have access to do the in-line editing. The interface is super clean and really slick and again, you’ll get to see this in the demo. It works for all content types. If you create a custom content type – so it’s not restricted to just the page node. If you create custom content types like a Wiki, or things like that, this in-line editing functionality will be available to your content type as long as it uses the field API.

So, why is that important? Well, it allows for easier access to modify content and it does reduce the clutter of the previous Drupal 7 administrative interface, so certain people will be less onto the form site or the administrative theming of Drupal. You will really just modify the content right when you’re looking at it. It also allows for ease of use on mobile, and so that ties in with like the mobile initiative of Drupal 8.

With that being said, I think we’ll move on to the demo portion where I can show you the WYSIWYG in action and the in-line editing in action. I’ll have to share my screen. In my screen, I have a Sandbox Drupal 8 installation on my machine, and this is an example of a page node that I’ve created and I just named it “First test page” and it’s full of lorem texts. So, I’m going to show you the WYSIWYG in action. If I go into edit this page node – I’m sorry. I should first take you to the configuration that it looks like out of the box. Under the administrative form, you’ll notice that this is already pre-configured for you the moment you turn on Drupal 8. Like you installed Drupal 8 and this is what it’ll look like. There’s nothing else to be done here. You don’t have to configure anything, and the roles are standard. It means basic HTML versus restricted HTML, so this is the more open text format versus where you’re allowed to restrict HTML and this one is every HTML possible and then there’s just plain text which has security issues but that’s a different discussion. All of this configuration is out of the box and you don’t have to do anything to it the moment you install Drupal which is great for site builders. So, this is what the WYSIWYG looks like without being configured to add any buttons in it, and you’ll notice it’s identical to the screenshot on the slide that I did show earlier. I’m going to take you through – I’ll increase this. So, what I have is an example, I’m going to add some text here. Right. It’s easy enough to say this is basically – the idea is it’s supposed to be easy for you to create content this way and you would copy and paste directly from Word into this. This indent here is an example of blocked quote and I’ve just made this bold, so I’m going to go down here and just go save. So the WYSIWYG, it looks exactly the way you’ve typed it in, which is how it should be working in the first place. This is an example of having the list items and a link to an external site. The configuration for the WYSIWYG, I’m going to take you through that for basic HTML. Now, you’ll notice the interface for this is much cleaner and if your clients – you’ve been given access to modify this directly by your site builders, then you’ll know that the previous way was this huge form with a whole bunch of check boxes that you would need to check. You’d have to know what they all meant in order to be able to configure the toolbar. Wherein in this case, you have the items right here and they tried to make it look like a Microsoft Word toolbar. So if you wanted to put things in like cut, then you would just drag this into, let’s say one of the groups. Let’s put that there and that’s what the interface looks like for configuring the toolbar. It’s a lot cleaner and it’s easier to use for non-technical users. I love it too even being a developer because it’s just really slick. So, that’s the WYSIWYG editor in Core and again, this is everything you get the moment you install Drupal 8. There is no need to re-configure this at all and it just works.

I’m going to take you back to my sample page node, and I’m going to demo the in-line editing. You’ll notice when you hover over the body text of the page, there’s going to be this little pencil, it looks like right at the top right-hand corner. Mind you, I am logged in as an administrator who has permissions to do this. That won’t always show up. Right now with the black toolbar, you can notice I am an administrator with privileges. This will show up, and I will just click Quick Edit. Now, you notice there’s this fancy little pop-up that shows up, which outlines which field I’m on. If I click into the field, then notice how the WYSIWYG also pops up. I’m going to, let’s say delete all of this text that I put in because that’s just cluttered, and I’m going to let’s say, make this a italicized, and I’m going to click save. So voila. No need to go into that administrative form, the WYSIWYG does show up in the in-line editor. You could still make use of that even from this site, and it’s a lot quicker to do text edits when you’re browsing through a site. Imagine the usability of this when you’re trying to comb through a whole bunch of forums or a listing of blog posts. You wouldn’t have to go in to each blog post edit form and make your changes if all you’re doing is just checking copy and checking spelling or fixing formatting. This also works for a custom field. Notice I have a different field down here, sample text field. If I click the Quick Edit, and I go in and notice how it says, “Sample text field” as my field now instead of the body. I’m going to say, “Hello again, everyone” and save. It does update that field. So it’s really slick. This allows users to basically have an easier time curating their content and no need for technical and again, all of this stuff works right out of the box. I believe I did miss the image, uploading an image. This is the image uploading for the WYSIWYG. Notice how a lot of this configuration comes out of the box. [Pause] You can add the alternative text in-line. Say, this is the demo. Specify your image height to 200 by 200 and say it’s left-aligned. That’s what it’ll look like and if you notice how it pushes all the text over - because it’s left-aligned. It pushed all the texts over and it’s left-aligned and the image is right there to where you decided to put it. So, it looks just like really when you upload, and it lets you do changes to it. I think that’s going to be it.

I guess in conclusion, this webinar was supposed to introduce people to the benefits of using Drupal 8 and how it applies to – some of the functionality of Drupal 8 would apply to having marketing initiatives. It will allow you to access a wider market because it makes things easier to curate for non-technical users. It does lower the cost to configure certain sites because a lot of the functionality that we find that are common to projects that clients come to us with are already being rolled into just the Core Drupal installation. Also, they have made an emphasis on cleaning up the administration side of Drupal because they wanted to make it as friendly as possible for people to be able to manage their site without having to always call their developer or their IT people, because right now, all the rage is mobile. We tried to ensure that Drupal 8 does accommodate for having mobile as the number one priority in terms of some of the clients’ requirements. I’m going to pass it back to Hannah.

Hannah Corey: Sure. If anybody has any questions could you please ask them now. I know a couple of comments. We can jump right into those. The first question is, can you talk about performance? I’ve heard the services module had some pain scaling.

Jonathan Whang: [Pause] Did I speak to that?

Hannah Corey: Kris, maybe you could take a stab at that one.

Kris Vanderwater: Yes, I was talking but I think I was muted.

Hannah Corey: Oh. [Laughter]

Kris Vanderwater: Yes. One of the things about Drupal 7 and I made some allusions to this earlier, Drupal 7’s notion of what a URL looks like. It’s very different than what Drupal 8’s notion of that and how it’s handled underneath the hood. There are definitely some potential performance implications there because in terms of what it is that you’re actually serving out, you have to do Bootstrap Drupal each time and well that then used to be true in Drupal 8 as well. A lot of effort has gone into streamlining that process where possible. Now, don’t get me wrong. Drupal 8’s not faster than Drupal 7 yet, and there’s going to be a lot of effort that’s going to go into it from a performance perspective. But, I think the more important takeaway here is just that Drupal 8’s notion of what a response should look like is just very, very different. Hopefully, we can begin to leverage some better caption strategies on top of it that we could have in Drupal 7. Just speak very specifically to the issue Services might have had. I’m not going to attempt to do that because I think probably very specific to whatever the used case was at the time. Obviously, if you use a system that’s getting hundreds of thousands of requests coming across it like you might have let’s say, a third-party app that gets very popular, that’s going to be a very different situation than if you have an external API that gets to - used via handful of other services out there. So, it’s hard to really nail down exactly what that might be without knowing specifically what it was that you had heard about. But, I think the takeaway should probably just be that a lot of thought and effort has gone into what this should look like for Drupal 8. Hopefully, a lot of these situations be either remedied or have a remedy close or end by virtue of the architecture.

Hannah Corey: Great. Thanks, Kris. The next question is, can you insert images from the in-line editor?

Jonathan Whang: Yes. Whatever was on the WYSIWYG – this is Jon. Sorry. Whatever was on the WYSIWYG on the full form, shows up within the in-line editor as well. So, you can use that. When I did try and play with it, it would do the insert, but I did find some funny behavior like if you tried to right-align it, it wouldn’t go all the way to the right or sometimes push certain things to the left. Again, that’s basically a by-product of it being still within latter stages with Alpha pre-beta. So, I’m sure they’ll work out the kinks for that. But yes, you can use the in-line editor to also upload images via the WYSIWYG within the in-line editor.

Hannah Corey: Awesome. Thank you. The next question is, when you use the view source on the editor, does it keep the indentation you set or does it recognize and validate the code in some other way?

Kris Vanderwater: If you’ve used the source for – depending on the text format that you have selected obviously, it’s going to validate based on that. So, if you’re using a restricted text format – let’s say the site has you configured as the blogger user role, and they only allow you to put in p tags and span tags. You can’t go in there because you only have access to that text format, even if you do view source and try to add in image tags when you don’t have access to that or dupe tags or script tags and you don’t have access to that, then the validator will take care of it. I think that’s also a security issue that they made sure they didn’t allow any holes with that. I think they also outline within the configuration section of the Drupal 8 text formats that giving access to unrestricted HTML to certain users is a security issue. It’s not a bypass by any means but if you do know how to write code, it’ll let you put in the tags that you’re initially allowed even without writing the tags manually. But, it’ll stick to the same formatting. I believe the alignment and the margins and the padding are all a by-product of the current theme you have using. So, if it formats Ps while using the – I can’t remember off the top of my head what this theme is. The Bartik theme. Sorry. If the Ps are formatted with the Bartik theme to have margin up and down then if you put Ps in there, it’s going to use the same CSS as the theme we’re using.

Hannah Corey: Great. The next question is, I like the built-in editor. Is there a function within Drupal that identifies the user customer, example by IP address in order to serve up customized content? I think Kris, you can talk to Acquia Lift about that.

Kris Vanderwater: Yes, so just to address that really directly for a second, as part of the initiative that I was an owner of the Blocks and Layout Initiative, we went to a lot of effort to begin doing that stuff. I just can tell you that as of today, those sorts of features are not in Drupal 8. Our objective was to make adding those things a bit here. However, Acquia does have a solution for some of this stuff in Drupal 7 called Acquia Lift. I believe we have an upcoming webinar on that. Don’t we, Hannah?

Hannah Corey: Yes, we do. I can send that in the chat section if you guys want to check it out. Thank you. [Pause] Awesome. Thanks, Kris. The last question [Laughter] that everyone is thinking, when is Drupal 8 launching? I know we don’t have a direct date, but maybe you guys could speak to timeframe for everyone out there that’s not that familiar with Drupal.

Kris Vanderwater: Well, the age old answer to that question is when it’s ready. That has been the status quo since I’ve been involved in Drupal, which has been about nine years now. I know that that’s not a very satisfying answer. Let’s just speak realistically for the moment. I think we are in the late stages of an alpha, and part of what we’re trying to do at any given time is to really reduce the number of outstanding issues, our tests are all always passing and that we have all the – we know that we need. This is in an effort to make the beta and the release phases of Drupal 8 as short as possible. However, there are still a handful of features that are being polished or being added to Drupal 8. I would be very surprised to see a beta in the near term future. I think that there’s probably some desire to push that out just a little bit further. If we do see a beta in the near term future, then the objective will be to really limit the scope of any new features that are being added to Drupal 8. To that end, I think there is going to be a lot of communication about what our minimum, viable product is for any given set of features that are in Drupal 8. I know the entities with them can somewhat be – some of the rest works that we discussed here today is still a little bit in flux, and there’s a real desire to make sure that those things go out as feature complete capable as possible. I wouldn’t get too fired up about being a Drupal 8 beta in the next month or two. I’m just thinking it is going to be a bit longer than that before we see a beta, but that’s just my own personal opinion, and I am completely guessing.

Hannah Corey: Great. All right. Thanks Kris. I know a lot of people are wondering that. I think that’s it for questions. Jonathan, would you like to end with anything else?

Jonathan Whang: No. I guess, thanks everyone for coming and…

Hannah Corey: Yes, thanks everyone for coming and we’ll send you the slides and the recording in the next 24 hours, and a big thank you to Kris and Jon for the wonderful presentation. Have a great afternoon, everyone.

Click to see video transcript

Moderator: Webinar, Easily Create Maps in Drupal with Leaflet, with guest presenter Amber Matz who’s an educator at Drupalize.Me. Amber, thank you so much for taking time out of your day to present to us.

Amber Matz: Alright. Hi, everybody. Thank you for joining us at the webinar today. I’m Amber Matz. Up until recently, I was Amber Himes and you can find me on Twitter attwitter.com/amberhimes. I work for Lullabot and I’m a trainer for Drupalize.Me. In this webinar, I’ll be taking you through how to easily create maps in Drupal with Leaflet. For you Drupalize.Me subscribers out there, I have just released a video series on this very topic and the first three videos in the series are now available. If you’re not already a subscriber, you can find out more about the mapping with Leaflet series and becoming a subscriber to Drupalize.Me by visiting a special page for attendees of this webinar at lb.cm/acquia-leaflet, which is a shortened URL that will re-direct you to a page on the Drupalize.Me website.

Before I dive into Leaflet, let me give you a brief overview of how mapping solutions can be implemented in Drupal. There are two things that you need to implement a mapping solution in Drupal. The first is a location storage module. This is the module that is in charge of collecting, storing and at the very least, providing a basic display of that data. So what that means is that by choosing a location storage module, you are choosing on the backend a particular data table structure; on the administrative side, you are choosing a way or a set of ways to enter in location data; and you’re also choosing, if the module provides it, a field formatter. It’s really nice if a field formatter is included so that you can configure how that data is displayed, at least on a default basic level. The second thing that you need is the mapping module itself. This is the module that is responsible for configuring and displaying the actual map and a map being a set of layers that can be configured to convey geographic information about a location. That can be a very simple implementation to a very complex, interactive implementation. The modules differ in which set of base layers are made available, the user interface controls, the markers and most importantly, which API or web service they’re using to render the actual map. Depending on your choice of a mapping module, you may get locked in to a terms of service that doesn’t scale to the needs of your application or has implications for a site migration. So that’s why it’s important to really decide and make a good decision about which location storage module and which mapping library you’re going to use. So how do you know what to choose? Well, fortunately, there’s a documentation page on drupal.org that provides a comparison of mapping modules in Drupal and that page is drupal.org/node/170948. I’m going to go ahead and open that up.

If I scroll down to this table down here, just keep in mind that this page is marked as “Needs Updating” so take the information with a grain of salt. In the first two rows here, we’ve got the mapping module and then we have the supportive location storage module. Here’s Leaflet over here and as you can see, Leaflet requires Geofield as the location storage module. As you can also see, Geofield is a pretty popular choice for a location storage module. So, if you are just getting started with mapping in Drupal, Leaflet is a great place to start because you can use Geofield as your location storage module and it’s supported by open layers, IP Geolocation views and maps, and those to other modules will even support Leaflet maps. So, this is a great jumping off point if you’ve been reluctant to get into mapping or you’ve been intimidated by just the sheer volume of options and configuration that are provided in the other modules. Leaflet is a great place to start with the mapping module because it uses Geofield and you can always swap out this mapping module later. Alright.

So, Geofield. What is Geofield? Geofield is a location storage module. It provides a new field type that we can add to a content type called Geofield and it also provides widgets for entering many types of geospatial data. It also has some field formatters so it can provide a basic display of a variety of geographic formats.

Leaflet is a couple of different things. So when I say Leaflet, I’m meaning the lightweight mobile-friendly java script mapping library at leafletjs.com. It’s also a Drupal contrib module that provides immigration with the java script library as well as a field formatter and the developer API and even a sub-module that provides the views integration. That’s what I mean by Leaflet. So the first thing that we need to do to get a Leaflet module - or to get a Leaflet map on our Drupal site is to install Geofield module. So to install Geofield, we would do this in the normal way of installing a module. We would need to download Geofield and its dependencies which are GeoPHP and CTools from drupal.org. You will need to enable these three modules and I prefer using Drush to enable modules. It comes particularly handy because in the documentation for Geofield, it only lets GeoPHP as a dependency and if you use Drush, you’ll find that CTools is also a dependency. So it’s just a nice way to find those hidden dependencies that may not be documented. So to use Drush to enable Geofield, I would type “drush en geofield”. This would prompt me to download Geofield and its dependencies if it wasn’t already on my site and then it would enable them in turn. So a little tip, if you are not quite familiar with Drush, you can also download and enable these modules through FTP and using the administrative UI.

Alright, so I already have Geofield installed on my site and now I’m ready to add a Geofield. So, I’m going to hop over to my example site and I’ll navigate to structure, content type. I’m going to add a new contact type and I’ll just call it “Location Demo” and save. I’ll go into manage field now and now if you’ll notice in this field type column, if I drop down this list, before I enabled Geofield, I wouldn’t have had those options but now that I’ve enabled Geofield and its dependencies, I have a new field type called Geofield. So I’m going to select that and give my location field a name. I’ll just choose a widget here, there are four different choices and these widgets can change if there are other modules that can extend this. I’ll just latitude and longitude and save. Since I already have the demo, I’ll just add a new field type there. There we go.

Okay, so the first field setting is the storage backend and there’s only one choice, so you can see that this is scalable. If you want to add a different storage backend, you can. I’m just going to save this field setting. For this field, I could make it required, I could add some help tags which is always a good idea. You can also check this box to use the HTML5 Geolocation feature to set default values and that’s that saying where you’re browsing the internet and a website asks for your location, it’s asking permission, “Do you want to share a location with this website?”, that’s what that feature is all about. So, you can turn that on and you can nag your users for their location. So that’s what that option is about. You can also provide a default latitude and longitude. Number of values, kind of the usual field setting. So go ahead and save these settings keeping all the defaults and now we’re ready to add a new piece of content using our location demo content type. Go ahead and add content and I’m going to use my location demo content type. Let’s just use the Austin Convention Center which is the home of this year’s North American DrupalCon. As you can see, it just says I’ve updated my content type and added a Geofield content type and I’m using this widget, latitude and longitude. I now have the set of fields, actually, that is asking for the latitude and longitude. I don’t need to worry about the display of the latitude and longitude at this point. I just need to enter in the numbers here and the field formatter, which we’ll get to in a moment, will take care of how that data is actually displayed.

So I’m going to pop over to maps.google.com and I’ve searched for the Austin Convention Center. Even though it’s not giving me the latitude and longitude and those coordinates just yet, I’ve found that if I just click kind of near the marker, I’m still on the location but I’m not on the marker and Google will give me the latitude and longitude. So that’s a little trick I’ve learned. I’m going to copy this information. The first number is going to be the latitude and the second number is going to the longitude. I’ll copy the first number here, including all the decimal points and I’ll paste that into the latitude. Then I’ll go back and I’m going to copy the second number including the negative sign, all the decimal points and I’ll paste that into the longitude and I’ll save that. Now, what I get is the location and it’s formatted in this way: all caps, points with a parenthesis and even has the longitude first and the latitude.

How do I configure this information here, that’s in our manage display. So if I go back to structure, and content type and I manage to lift the display here of my field, I can see all of the different formats that I could display this data. So I’ve got a location point that I entered using a latitude and longitude widget but I can display it in any number of ways. I will try the latitude and longitude and then this little gear up here and I can further refine the settings of the latitude and longitude. If you don’t understand all of these terms, just use the defaults. These mapping solutions, they really scale - You can do a basic implementation to a really advanced one. So there’s lots of options and a lot of these, I’m not familiar with all of the technical geographic terms, but just by using the defaults, you can get pretty far and just get a map on your page.

The format, I’m going to change this to the degrees, minutes, seconds, just for fun. I’ll click update and then save. Now, if I go to my content page, using my location demo, that latitude and longitude that I entered is now displayed in degrees, minutes, and seconds. Geofield just out of the box will provide a way for you to enter in your geographic data and some options for displaying it. Now, how do we turn this into a map? Let’s go. We just added our new location so we’ll need to now install Leaflet.

The instructions for installing Leaflet, you can find on the project page for drupal.org, so I’m going to go there now. I’ll just use the documentation page. Just to give you an idea of how to navigate around the documentation for Leaflet, if you’d go to the project page for Leaflet on drupal.org/project/Leaflet, you can find some basic information about the module. You can also find the recommended releases. You’ll notice that they’ve started developing a version for Drupal 8. This is also a great choice if you’re looking to scale up to Drupal 8. Build it out in Drupal 7 and then play around with the Drupal 8 version. There’s just a really good possibility that you’ll be able to more easily migrate to Drupal 8 when you want to, when you’re ready to, and when Drupal 8 is ready.

On this Leaflet project page, what we find is that there’s a link to this documentation because this is pretty slim information, there’s not a lot here. There is the issue queue here but if I go over to this documentation page, this is going to provide the meat of the information about this module. So, it provides integration with Leaflet and it lists out the supported number of extension modules that will extend the capabilities of Leaflet, also, some information about the required and recommended modules. So we’re going to need Libraries and CTools and when we get to the Leaflet views sub-module which is included in the Leaflet project, we’ll also need entity. Geofield is the preferred module for storing geographic data like we’ve already mentioned and there’s also some great integration possible with Address Field and Geocoder which I go into in my video series. Also, there’s Views and Token Support. Just out of the box, this is what you need, these are some of the required and recommended modules.

The first thing that we’ll need if you’re familiar with Libraries at all, this is a way for you to integrate with a Java Script Library or other type of Library. We would need to download that from the Leaflet.js.com page. So you could click on the download navigation menu item and you’ll want to download the latest stable version which, right now, is Leaflet 0.7.2. You want to download that to your sites/all/libraries folder. I’ve already downloaded this to sites/all/libraries and when you download the zip file and expand it, you’ll want to rename the folder to just “Leaflet”. So it’ll have the version name and the numbers and everything. You want to rename that to Leaflet so that this Leaflet.js file, attached to it is sites/all/libraries/Leaflet. You’ll need these other files as well, but that’s kind of your gauge, like “Did I do this right? Leave it on the right place?” Well, it’s the path to Leaflet.js/sites/all/libraries/Leaflet. I’ve got that already installed.

The next thing that I need to do is I need to download and enable the Leaflet Drupal module and its dependencies. The Drupal module will integrate with - it’ll bring in the java script library, it also provides the field formatter and the API, et cetera, and the Leaflet view sub-module. So I’ve downloaded and enabled Leaflet on my Drupal site, I’ve installed the Leaflet.js to sites/all/libraries, and now I’m ready to make my first Leaflet map. What we’re going to do is, Leaflet module provides a field formatter so what that means is I can go into manage display’ on my content type and choose Leaflet from the formatting type on my content type. So I’m going to update the format to Leaflet and I’m going to choose a map. Let me go ahead and show you how that’s done. I’ll go ahead and go back to my site and I’ll navigate to structure, content type, and I’ll manage display for my location demo. Now, here’s my field that I’ve added using that Geofield type. Right now, the format is latitude and longitude. Since I’ve enabled Leaflet, now I can choose Leaflet as the format of my data. So even though I’ve entered in a latitude and longitude, I want to display it as Leaflet. You’ll notice that right here, it says, “Leaflet map:” and it’s blank. We need to click on this gear and we need to select a map. Out of the box, one map is provided, OpenStreetMap Mapnik, so I need to select that. This is the one thing you need to do when you first start. To select the map, there are a number of other options that you can configure, but right now, let’s just see how this looks just by selecting a map. I’ll click update and then save. I’m going to go back to my content that I created. Now, instead of that, degrees, minutes, seconds, latitude and longitude, it’s displaying a marker on a map. A map that functions using the control and you can see that down in the corner here, it tells me this is using Leaflet and it tells me which map I’m using which will come into play in a little bit when we install more maps.

I’m going to talk here. What if your Leaflet map didn’t display? This can happen and there’s a couple of tips that I want to give you for trouble shooting if your Leaflet map didn’t show up, if there is like a gray box, or something just didn’t happen correctly. There are a few things you could do; First, you can check the status report page to make sure Leaflet is installed correctly. How you do that is go to reports, and status report, and here is Leaflet right here. It says the version of Leaflet and that it’s installed correctly. If it was not installed correctly, this would be red. There would be a big red X icon right here and it would give you the error message. When I was first playing around with Leaflet, my map didn’t display properly and I had a big red X here. I looked in issue queue for my error message and there was an error message, it’s the same error message in the issue queue but it had been resolved. The patch had been provided and I was using the fixed version and so I couldn’t figure out what was going on. It ended up being that when I expanded my zip file, my leafletjs.zip that I downloaded from here, when I downloaded this and expanded it using Mavericks, using my Mac, it didn’t set the permissions correctly and my webserver couldn’t actually read these files. So I needed to change the permissions of that directory to 755 and then the webserver on my local machine was happy and it could actually read and execute the files on this file. So there, it can be a permissions problem, it can be a bug. So I would say check the permissions of your site as well as libraries, Leaflet folder, especially if you’re using your operating system’s UI to expand the files, and check the Leaflet issue queue if you’ve got an error that’s just persisting. You could always ask in there.

The other thing that I noticed is that if you’re not connected to the internet, like maybe you’re working on the plane or something - I don’t know, and the tiles aren’t displaying. If you inspect the element, the map tile, you’ll notice that the OpenStreetMap tiles are externally hosted so it’s calling an external site to actually display those images. They’re not locally hosted on your machine. I mean that would be massive to host all of those tiles with the whole entire world in various zoom levels on your site. That would be crazy and not something that I want to do on my laptop. So you’d need to make sure that you’re connected to the internet. So those are some troubleshooting tips if you’re Leaflet map didn’t display. Using the field formatter in manage display isn’t the only way to display a map. Also, that map is only going to display the one point of the location we entered for that particular node. So what if you want a map of multiple locations? Well, we can use views. So just like you used views to create a list of your content, you can use views to create maps using Leaflet. The first thing that we’ll need to do is enable the Leaflet views module and this is a sub-module that comes with the Leaflet project. You would just need to enable this sub-module, leaflet_views, or you can go into the module UI and enable it. You’ll need the views UI enabled as well. If you don’t have views already downloaded, you’ll need to do that and enable the views UI. You also need to download the dependencies if you haven’t already which are Views and Entity. Once you have all of that downloaded and enabled, we can create a new view. Let’s go ahead and do that. I’ll go over here to structure, views, and I’m going to add a new view. I’ll make this a map of all locations. I’m going to show content of type and I’m going to use actually my location content type that I’ve created previously because I’ve added some demo-content to it already. I’m going to use that, but you’ll want to use the content type that has your Geofield on it. I’m going to create a page of a map of all locations and kind of simplify the path here to just say “Map”. Here’s the key area, the display format. Instead of an unformatted list, I can choose Leaflet map because I have the Leaflet views module displayed. I’ll go ahead and create a menu link to make this a little easier to navigate to. I’ll add that to the main menu and I’ll just change this Link text to be “Map”. I need to continue and edit, we’re not quite done yet. So now we have an unsaved view, we’re given the Leaflet Map settings. Just so you know, the preview isn’t going to work for you. How do you know what to do next? Well, if I click on the Settings link next to Leaflet Map, this will give me a clue. It says, “Please add at least one geofield to the view.” So now I know what to do. I can go to Fields and if I open up my content type, I would like to keep my content type manage field tab open when I’m building a view so that I’d know for sure what fields I need to add. I need to add the field that is using the Geofield field type and that’s my field_location. I’ll go back here and now I can add my field and I’ll just do a search for a location. I want to use the one that’s in my node location content type and now I’ve got two here and I’ll apply all displays. All I need to do to this field is exclude it from the display. I don’t need to mess with anything else. I’m just going to check “Exclude From Display” and “Apply (all displays)”. Now, I have the location at field which is my Geofield added to my view. Now, when I click on Settings, I’ve got some options. Hurrah. So the data source is my Geofield and now I can choose for the little pop-up window that’s going to show up when I click on my marker, I can choose a title field. So I’ll go ahead and just use my node Title Field and for the description content, there are a few options. I can choose the title or the location, but a better option is to use this node entity, so the angle bracket node entity. Then you can choose a view mode so you can then use your teaser or if you’ve got another custom view mode that you want to use, that you’ve – this isn’t quite configured for this display, then you could use that. I’m going to use the teaser there. What this is going to do is it’s going to display the teaser in the description area of the pop up window and I’ll show you that in a moment. We’ve got the rest of our settings that we had on our field formatter when we managed the display of this field in the content type section so the same settings are applying here. I can choose my map. The nice thing about this one is that the map is already selected by default. Now I’ll click “Apply (all displays)”. Now, I’ve got my Leaflet map, I have no idea if it works yet. As soon as we’ve added it as a path, we’ve added a path to map. I’m going to save that and I’m going to go home, and I’ve got a nice menu item here. Now, I can see my map of all locations. So this is displaying the three nodes that I’ve created using that content type and I’ve got a map of multiple locations. So you can see that Leaflet out of the box with the Leaflet Views Module, you can display a map using one location, using the field formatter. If that’s all you need, then it’s super easy to do. You can see that it’s also really straightforward to create a map with views of multiple locations.

You could also add exposed filters to your views and add some different interactivity. So if you had taxonomy fields on your content type and you wanted to enable your users to filter by those, just use that knowledge that you have about views and what kind of functionality and UI that you want to provide to your users and think about what you want to provide for your map and you can add that to your view and have that interactivity. So it will filter the markers just like it would filter a list. So just think in terms of instead of like a list of teasers, you’re getting a group of map markers. It’s really cool to be able to create a map of multiple locations using views because many of us are really familiar with views, we’re comfortable with it, we know how to make lists of content, we know how to add relationships and exposed filters and that sort of thing. So, to be able to create a map using views, we’re familiar with that UI so it makes it a little more straightforward, especially if you actually are familiar with views.

So what other things can you do to your Leaflet Map? One of the things you can do, is you can replace that little blue marker with an image of your choice. If you browse around the internet, you’ll find there are quite a number of free libraries of marker images if you’re no good with drawing on the computer - and I’m no good at drawing on the computer. There are plenty of options out there for marker images. You’d just want to make sure it’s appropriately sized. Then we’ll update the point icon in the Leaflet Map settings. What I’ve decided to do is I want to change the map marker from the blue marker to the druplicon icon. So I’ve saved in my sites/default/files and I created a new folder called “map_icon” and I’ve save this little druplicon_marker.png. I downloaded that from Drupal.Org and you can see it’s just this tiny little druplicon marker here. What I need to do is go back to my site. First, I will change it on one of these nodes here that I’ve created, so I’ll use the field formatter. I’m going to go into structure, content types and I will view - I can’t remember which content I’ve created. [Laughter] I’ll just manage the display of this one, how about this? I need to go into Manage Display and for my Location Field, I need to click the gears here and now we can find the settings, so I’m going to expand the Point Icon. I’ve got a couple of different options here and I’m going to demonstrate the Icon File Option. So all I need to do is provide a URL to the path to my image. I’m going to go into Terminal here and I think it’s in this directory. I’m just going to copy. I’ve got it saved in sites/default/files/map_icons. I’m going to include this initial flash. I noticed that if I don’t do that, it doesn’t work so good. So I’m making an absolute path and I’m going to copy my file name because I keep misspelling druplicon and I don’t want to do that. So now I’ve got an initial flash and I’ve got the path to my PNG file that I’ve re-sized down from the druplicon logo that’s provided on Drupal.org. I’ve got it sized down and there are other options I can do, but I’m just going to keep the default and click “Update” and “Save”. I’m going to load up a location node and now instead of that blue marker, I’ve got the druplicon as my marker. Now, if I want to do this on my view, it’s basically the same process. I’m going to go ahead and copy that path and file name so I have it in my clipboard. I’m going to copy this, I’m going to go back home and click on the map. If I hover over my map here which is actually a view, I’ll get my gear. If I’m logged in, then I can edit my view from there. Under Format and Leaflet Map, I’m going to click “Setting” and then a very familiar looking settings, I’ll just expand the point icon and I’m going to make sure that Icon File is selected as my icon source. Then I’ll paste in that path into the icon URL which is the path to my marker image and I’ll Apply (all displays). Now, if I save this view, instead of the blue markers, I’ve got the druplicon as my marker. So that’s how you can add a custom marker and you can change the icon of your marker using Leaflet in a very basic way. There are other options there, but that’s the most straightforward and basic way to change that marker image.

Moderator: What else can you do? [Pause]

Amber Matz: You can add more maps. So there is a great module out there called Leaflet More Maps and that’s at drupal.org/project/leaflet_more_maps. It is the greatest module name ever because it does exactly what it says it does. It provides more maps for Leaflet and it provides over 20 different maps from a variety of providers. OpenStreetMap, Esri, even Google Maps are in here. So, Bing, MapBox, Stamen, MapQuest, and a bunch of different ones. So you can see the licensing terms which, this is the main reason for changing out the map. It’s if these terms of service and licensing don’t fit with what needs to happen on your website, then it good you have a choice here and you can find a map with a licensing term that works for your organization, it doesn’t conflict with what you need to do. I need to enable Leaflet More Maps. So I’ll type “drush en leaflet_more_maps” and now Leaflet More Maps is enabled on my site. So I’m going to go back to my structure here and my content type and I’m going to go back into the Manage Display and back into the gear settings to find my Leaflet settings. Now, when I drop down this Leaflet Map Setting, I get a list of a bunch of new maps. What you’ll notice is that you’ve got the name of the map and then right next to it, it shows the zoom setting. So these maps are a series of tiles that render at different zoom levels. Not all maps will provide all the zoom levels so like Esri Ocean, its zoom level is zero to ten. Most of them are going to be zero to eighteen but you can see that there are some slight differences so you want to just keep that in mind. So if I choose the Stamen Water Color Maps and click Update and save, and if I go to a location node, now, instead of the OpenStreetMap, I have this very interesting and lovely water color map displaying. You can see here’s the tile Copyright Information. Not only can you tell visually but you can tell in the Copyright Information and you can go to the terms of service there. So that’s how you would change on your field formatter and it’s the same process on your view. So we go into the view, we edit the setting, and now we can choose a map. So I could choose just like a Google Road Map and apply all the settings. Now, I’ve got a Google Map, a Google Road Map instead of my OpenStreetMap on my view. So you can have a different set of settings for your view and your nodes. So those are two sets of settings, if you change one, it’s not going to change the other. So if you’ve got both things going on, you need to change it in both places. Excuse me. That’s how you would add more maps.

Another thing that you can do and that I’ve kind of alluded to already is that you can change the zoom settings. Zoom settings are - alright, what happens here when you hit the plus and minus sign? You can set the initial zoom level. So maybe your website is targeting people who are not familiar with where Austin is so you want to give them a little bit more of a context. So maybe you want your initial zoom level to be something like this. “Yes, I recognize the United States. I can see that Austin is in the state of Texas, in the southeast area of Texas.” So maybe you want to set your zoom level to be a little more zoomed out to give people a little bit more context. If your audience was just a bunch of locals and people who are like in downtown Austin and they already know where they are at, maybe you want your initial zoom level to be really close and a detailed view where you can see, “Okay, it’s on this side of the river. It’s near the downtown area and it’s west of the 35 and so forth.” So you want to consider your audience and what you’re trying to communicate with your map when you set your zoom level. You also want to consider which map you’re using and what zoom levels are available on your map. So for example, if I go back to my view here and go into settings, I can see that the Google Map has all the zoom levels from 0 to 18, but if I chose something else like – I don’t know. How about this? No, I’ll just choose this MapBox Warden one. It has a zoom level to 18 so then I can go into my zoom level. You’ll want to adjust the zoom level to map what’s available for this map and you can use the map defined settings if you just don’t want to mess with the numbers of it and it’ll just use the default that is included with that map but if you want to customize it, the lower number means it’s far away and the higher the number, the more zoomed in it is. So if I wanted to do a real zoomed in map, I could choose like 12 as my initial zoom level for when that page first loads. Then I like to just set the map-defined settings here but you could constrain this if you wanted. Let’s just make it 16. So now, we’re within our zoom levels here. That’s the one thing you want to keep in mind so that you’re not shooting yourself in the foot there, make sure you’re within the parameters that are provided for your map. Then you need to Apply (all displays) and save your view. Now, we’ve got our initial zoom level and it only lets you zoom in and zoom out to the levels you defined in your setting. That’s how you can very simply change some settings and customize your map, just using the out of the box settings for Leaflet. The other thing that you can do is you can use tokens in your pop up text. So this is especially useful if you’re not using views.

Let’s go load up one of these nodes here that’s using our location content type. So right now, when I click on this marker, nothing happens, there are no pop-ups enabled like there was in Views. You could see that with Views, you could really control that a lot better but you can do some basic formatting here on that pop-up text and how you do that is you go to Structure, Content Types, back into Manage Display and I’m going to go back into my settings here and there are two things you need to do. First, you need to enable a Token Module so that you actually have some Tokens here, and the second thing you need to do is you need to enable the pop-up. So it wasn’t even enabled at first. You can enter in some static text or you can enter in a token. So I’ll go ahead and expand this node field set and I’m going to look for the title of my node. So here it there, I’m going to copy this token including the square bracket so the whole thing here. I can either copy and paste it or if my cursor is in this pop-up text, I can just click it and it will populate the pop-up text. So now I’ve got my token for my title of my piece of content in the pop-up text. I’ll click update and save. Now, if I go to one of these nodes and click on my marker, I’ve got a pop-up text that has the title of the node. You can see that this marker pointer is kind of off [Laughter] so the thing that you can do is you can adjust the XY location of that marker by going into your settings again and this point icon, you can say where the pop up anchor is so you could change, you could mess around with the XY location to try and get that pop-up anchor a little closer to the actual marker so it’s not covering it up. So that’s how you would do that. That’s where you would need to adjust this pop-up anchor point.

Alright, so that is my big “tada”. That is a basic overview of what you can do just out of the box of Leaflet to get a Leaflet Map on your Drupal Site. You can use Leaflet to display a map of one location using just the field formatter in the Manage Display setting or you can enable the Leaflet Views Module and create a map of many locations. If you want to find out more about what you can do with Leaflet and mapping on your Drupal Site, check out my video series available on Drupalize.Me and it’s an extended and a little bit more in-depth version of this presentation. The first three videos are now available. You can also go to lb.cn/aquia-leaflets. This is a special page just for attendees of this webinar. You can find the slides linked to some of the resources that I mentioned in this webinar and some other information that you may find useful and interesting. I think I will send it back to Hannah and see if there are any questions.

Moderator: Yes, great. We had a couple of questions come in. The first one is, “Is there a complete programming for integrating a picture album or a picture GPS information? Can you implement on top of Google Earth KMZ files?”

Amber Matz: Some of these questions, I’m not too sure about.

Moderator: Okay.

Amber Matz: Yes. The Google Earth, I’m not sure about that if that’s included in the Leaflet More Maps. Let me just top this down. The Google versions are the High Res road and terrain, the High Grid, the Road map, and the satellite. I’m just looking at this. It doesn’t look like Google Earth is selected. The question about the KMZ files, if I edit, if I look at the format here, it doesn’t – Look, I have seen support for it, and I just can’t remember off the top of my head what is supported with that. I have seen this around but I don’t know right now off the top of my head.

Moderator: No worries. We can all get questions answered after the fact and I can send you over the ones that weren’t answered. We can get somebody to answer them.

Amber Matz: Totally, yes.

Moderator: The next question is: Can you populate the map with dynamic icons? Could I have a classroom icon that could be programmatically placed on top of the map for the user?

Amber Matz: In terms of dynamic icons, there are a few different things that you can do. One of them is that if you’d go into the display settings here, if you look at the point icon, there’s also this icon source of field and you can actually set a class and you can have your markers be pure CSS and you can control the display of those markers using style sheets. The other module that I wanted to mention is the IP Geolocation Views and Maps and that module lets you, in the view UI, it lets you choose a differentiating marker so you if you have taxonomy field on your content type, you can say, “I want this turn to be a purple marker and this turn to be a yellow marker.” It provides some default markers but you can swap those markers out for whatever you want. So there are some UI options available, there are some CSS options available and I would recommend looking into the IP Geolocation Views and Maps just to poke around, just to have a UI to play around with, but Google is going to be your friend there as far as other dynamic options for markers.

Moderator: Awesome. The next question is, “Are the maps responsive?”

Amber Matz: The mapping interface is usable on a phone so you can tap on it and it will do things for you. Whether or not it’s responsive or not, you would need to implement that in your style sheet.

Moderator: Awesome, thank you. What about driving directions? Does the user get driving directions to a location through their typical method on a phone browser with a click through?

Amber Matz: The typical method is using the Google Maps API and that I did not look into with Leaflet. This is probably something that would require a little bit more advanced knowledge of Leaflet which – and I didn’t look into driving directions specifically. So there are several APIs that will let you use their data to do driving directions and I’m sure like Bing and Google are two of those. So yes. I’m not sure about that with Leaflet. I’ll look into that, though.

Moderator: Awesome. Are these maps local or stored on the web server?

Amber Matz: No, they are not. They’re all externally hosted and if you have a need to host these
yourself and for big mapping applications, there is that need sometimes. There are other services out there that provide hosting for map tiles like MapBox, I believe. The reason for that is that you’re talking about millions of images because it’s these tiled images that are there for each zoom level and sometimes there are 18 or 19 zoom levels. So, it’s really a big deal to host those images and not something you would want to take lightly or necessarily put on your local machine. I don’t even know if it would be feasible. So these Leaflet map tiles and the ones provided in Leaflet More Maps are all externally hosted.

Moderator: Alright, the next question is, “Do we pay anything for using the Leaflet API?”

Amber Matz: No, it’s all free. Also, you don’t have to do any kind of special sign up with the Google API to use the Google Map. So in other modules like Location Module, you have to enter in your Google API key, you don’t need to do that with Leaflet. If you want, you can use Leaflet and you could display Google Map and you don’t have to enter in your API key anymore.

Moderator: Awesome. The next question is, “Can you use multiple markers for different locations. For example, have one market for use in Alabama and another one for Texas?”

Amber Matz: I suppose you could. You would probably need to use a taxonomy for that or some other differentiator. Again, I would suggest looking into IP Geolocation or IP Geolocation Views and Maps to see. You could probably set the differentiator by your state. So let’s say you’ve got a field that is State and you could possibly set it up that way, you could set it up on individual nodes. It doesn’t really make sense to set a marker for each node. If you get any number of nodes, that would just be crazy to manage. Again, I would refer you to that IP Geolocation Views and Maps Module.

Moderator: Okay, the next question is, “How do you set up a field to show a ‘You Are Here Marker’?”

Amber Matz: You would need to enable the HTML5 Geolocation. So when we set up the initial fields here, if I manage my Geofield, I’m going to edit this. If I check this box, this is where I imagine this could take place. So the HTML5 Geolocation, it gives the browser access to your location, it’s the user-granted permission. That’s how you could say this is where you are, because you would set the default value to that location. I haven’t played around with this too much so this is my best guess, but that’s where you could get that information from the user.

Moderator: Alright, the next question is, “When several users are uploading nodes linked to maps, is it possible to show on a single map nation or state-wide range all user markers uploaded?”

Amber Matz: Yes, you would just need to use Views for that. Though I’m not sure about your specific implementation, but Views would be your friend on that.

Moderator: Okay, awesome. Can you tell how it’s possible, you can display a route on a map, walking, running, biking route? The route existing out of multiple Geolocation points?

Amber Matz: Again that’s something that’s something that’s something that’s been developed by some of these other APIs like Google Maps and my knowledge of mapping isn’t advanced enough to really be able to answer that question so I don’t know.

Moderator: Okay. Alright. The last question is, “How do you define the X and Y to get the right on place?”

Amber Matz: That’s a great question. What you need to do is open your file in Photoshop or some program that will show you where the X and Y point is of your cursor when you hover over the image. I open it in Photoshop and I open the info panel, and the navigator panel, and when I hover over the graphic, it shows me the X and Y coordinates. So then you could say, “Okay, the X coordinate is 14 and the Y coordinate is 17,” and then that’s what I would enter into my X and Y version. That kind of gives you a jumping off point, otherwise, you’re just guessing. So that would be my suggestion for that.

Moderator: Great. We had one last question just trickle in. Why would you choose Leaflet over Google Maps integration or the GMap Module?

Amber Matz: The GMap, let’s go back to this comparison chart here. The reason why I would choose GMap and the Location Module is if I had a Drupal 6 site that was using GMap and Location and I wanted to migrate to Drupal 7. It’s going to be hard enough to write that migration of all those location tables and I want to retain some sanity and feasibility and not blow my budget, so I’m going to just stick with GMap and Location. However, that’s almost entirely true because you could use IP Geolocation Views and Maps because it does support location at the storage module. Now, using Leaflet in Geofield, with Leaflet, you can display a Google Map using Leaflet. It’s a lighter weight module, the file is going to be smaller, it’s going to load quicker, it’s using Geofield at the location storage module which is very well-supported with these other modules and so it gives you upgrade path. It doesn’t lock you in like G Map and Location would lock you in. Even though you’re not completely locked in because of this module but that would be my reason why. I think each case is going to be different, right? I like the flexibility and the support that Geofield has and even though you’re using – in this demonstration, I used the Leaflet Module. You can display Leaflet, you can use the Leaflet Java Script library and some of these other modules like Open Layers or IP Geolocation Views and Maps. So you can use the Leaflet Java Script Library and these other modules. You can use Geofield in these other modules. If you’re just getting started with mapping, I’d recommend trying out Leaflet in Geofield because it’s a really easy ramp to get into mapping with Drupal.

Moderator: Alright, thank you so much Amber for answering all those questions. We’re running
out of time so I can send over questions that weren’t answered to Amber and we
can try to get some of them answered for you. Again, the slides and recording will
be posted to our website in the next 24 hours and we’ll also e-mail you out a copy.
Amber, would you like to end with anything else?

Amber Matz: No. Thank you all very much and I hope you enjoyed the presentation.

Moderator: Yes, thank you. Have a great afternoon, everyone.

- End of Recording -

Click to see video transcript

Moderator: Today’s webinar: the Training Session on Best Practices for Drupal Security. I have my colleague, Ben Jeavons, on the line who is a Senior Software Engineer here at Acquia, Cash Williams who’s a Technical Consultant, and David Stoline who’s also a Technical Consultant. Thanks so much for taking time out of your day today to present to us.

Ben Jeavons: Thanks everybody for joining us today. Today we want to talk about Drupal Security. There are three sort of main categories that we’re going to be covering. Obviously Drupal and security are very large topics and we can only get into so much today. So we’re going to outline some of the vulnerabilities and risks that are popular and common on Drupal sites. As well as delving into understanding user input and how most attacks get started. Specifically we’ll talk about permissions and roles of Drupal sites and how you can evaluate the trust model of your Drupal site. We’ll also go into further tips and best practices regarding security by talking about backups, logs and strategies for managing quick deployments and staying up-to-date with your Drupal site.

What we hope to be some of the main goals that you get out of the training today are these three ideas. We’re going to talk a lot about user input and trust and the idea of that being the main risk on the web and the source for a lot of the vulnerabilities that occur. We’ll also talk about just this idea of staying up-to-date, how important that is for Drupal and for the rest of the software you’re running on your site. As part of all of these is this idea of defense in depth. In a sense building a castle-like structure where different strategies maintain security from first build of the site through ongoing maintenance.

Security is obviously very important and in lots of cases, it’s becoming even more so. So in the last year a data breach investigation study talked about how the importance of these cyber-attacks are very important for small businesses. So in this case 71% of the data breaches, as found in this study, occurred for businesses with less than 100 employees. This is something that not only affects small businesses but obviously large organizations and businesses. So a recent data breach at Target affected roughly 40 million debit and credit users that have purchased from Target. So this affects not only the small organizations but large organizations as well. As well as even affecting at a small level the software that they’re specifically running. The Heartbleed incident from last month was a huge vulnerability that affected roughly 66% of the internet due to a vulnerability that infested in the OpenSSL library used on a large amount of sites. So while it can affect individual businesses in the way that they’re affecting – they are going about their business goals, it also affects larger, very specific things and the applications being used on the internet. So the Heartbleed incident for instance might have allowed somebody to attack the actual encryption used when you communicate, for instance, with your bank or with your Drupal e-commerce site and the like.

As I said, we can only get into so much on this topic today. The good news is that DrupalCon Austin, we’re offering a full day, hands-on training as part of the DrupalCon Austin schedule of events. So on Monday, June 2nd we’ll do a full deep dive into the different vulnerabilities that we’ll just sort of talk about today. Vulnerabilities like cross-site scripting, SQL injection and access bypass. If you register before May 2nd this week, you can take $75.00 off the cost of the training. The profits on the training are split with the Drupal Association. So along with educating your site developers and builders and themers, you’re also helping to support the Drupal Association. You can find more about this training on the DrupalCon Austin site.

Let’s get started talking about some of the vulnerabilities and risks that exist on Drupal and in the web in general. So some of the data that we’re going to be showing has been compiled as part of a report on the state of Drupal Security. So what this report did was analyze the security advisories that are published by the Drupal Security Team. These security advisories highlight a bunch of the vulnerabilities that have been found in Drupal Core and stable contributed modules and themes on Drupal.org. So what this chart is showing right here is popularity of vulnerabilities. I won’t explain each individual vulnerability in detail but you can see that this classification of vulnerability, XSS or cross-site scripting, is one of the most popular vulnerabilities found in Drupal code. That is code that’s been published to Drupal.org. This gives us a sense that cross-site scripting as well as access bypass, cross-site request forgery, that’s the CSRF, are very popular vulnerabilities that exist in Drupal code. When we further differentiate these vulnerabilities by Drupal Core and contributed projects, those contributed projects such as modules and themes, we can see that again cross-site scripting is very popular but is more popular in contributed projects than in Drupal Core. Drupal Core just being the main download of the actual Drupal Project has had a lot of eyes that have reviewed that code. So it’s something that vulnerabilities have been discovered before this code has been published and that doesn’t require as much security fixes. Contributed modules though, there’s a wide variety of them. There’s tens of thousands of contributed modules and themes available on Drupal.org. Of those stable releases such as those not being developed or into beta release, there have been a lot of vulnerabilities found. That’s just a matter of having less eyes on that code. As we know from the Heartbleed incident, even heavily used code can still have vulnerabilities but it’s a fact of the matter that having eyes on the code does result in more secure, better written code. We see this when we look at Drupal sites, actual Drupal installations that have been built by customers and are in use on the web. When reviewed by any sort of security auditor, so for instance WhiteHat Security team did a review. Acquia provides a service for reviewing Drupal sites. We find that most vulnerabilities are just in either the custom code that the site is running whether those are the modules or themes or actually in the configuration or practices in running that Drupal site. Oftentimes sometimes sites are also running out-of-date code. So those vulnerabilities that we saw just a moment ago, things like cross-site scripting and access bypass, those do exist. They exist most often, though, in custom code or as a result of insecure configuration.

So we’ll talk about some of the ways that you can configure securely and processes for maintaining up-to-date code and being sure that you’re not running a vulnerable or insecure modules and sites. I should note that, outside of Drupal, cross-site scripting is a very common vulnerability as well. So it’s not just within Drupal. It’s in a larger web state that cross-site scripting is such an issue. This stat from WhiteHat Security is from their website security statistics report, found that 66% likeliness that a website is vulnerable to cross-site scripting.

Let’s talk a little bit about what is at the heart of cross-site scripting and a lot of these other vulnerabilities. It’s all about the way that user input is used. So we’re going to say that user input is the root of all evil in the sense that a malicious user can manipulate the way that they provide data into a system to carry out some sort of attack whether that’s a cross-site scripting or other form of attack. So when thinking about user input, what does that mean in regards with Drupal? Lots of times that’s any place where a user can submit information. So for instance what pages have forms on your Drupal site? Whether these are places where a user can submit a piece of content like a blog post or maybe they can add a comment to existing pieces. Or maybe also they can submit some sort of web form entering in feedback or perhaps entering data as part of a shopping cart, e-commerce experience. These are all standard examples of user inputs on any site as well as nodes and comments particular to Drupal. There are lots of other properties the way that a user interacts with a website that allows them to submit information, that could be a part of the HTTP request such as a depth request of the parameters in the URL that they’re requesting or actually parts of the HTTP header information that’s being sent along as part of the request. Those are all used by the system to do certain things. If a malicious user passes along dangerous data, they might actually change something about the system and carry out some form of an attack.

So in a sense, this picture demonstrates what is happening clockwise when a user is interacting with a Drupal site. This is a standard Drupal installation site. We’ve got a user on the left using a browser, submitting information into Drupal at point one. Perhaps they’re adding a comment on a blog post or adding something to a shopping cart. That information is used by Drupal, stored in a database at point two. Then perhaps that user is wanting to see their comment posted or see that item in their shopping cart. So when Drupal renders that page back to them, it pulls out data out of the database in point three and renders that back at point four to the user so that it’s viewable in their web browser. So when we talk about user input we are referring to that point where a data is coming in at point one. Then different parts of the system need to make sure that it’s not being manipulated or insecurely used such as to open up a type of attack. To get into more detail on that, I’m going to pass it off to David to talk about the ideas of trust.

David Stoline: Thanks Ben. So who can you really trust? When I audit websites I see a lot of situations where maybe it’s just a simple intranet or maybe it’s an internal website where trust has been given kind of overtly to just anyone. Trust is really the, I guess, essence of web security and defense in depth. Trusting user input, it’s definitely not a good idea. So we get to – just make sure that when you’re making your Drupal site, you do audits of your roles and permissions so this makes sure that your users aren’t able to go out and do dangerous and malicious or potentially malicious things. Keeping your modules installed at a minimum. Modules definitely increase the surface area of your site leading to a potential - things can get missed, new permissions get added. Just even enforcing strong passwords everyone may have their quick ABC123 password but making sure that user doesn’t have access to very important things or even that user might be an admin. It’s just ensuring that these things are safe and secure. So this really brings up the principle of least privilege. Giving users the ability and access to do exactly what they’re required to do. So on some sites, that just might mean logging in to your e-commerce site, adding something to your cart and purchasing, on other sites that might mean no access for an authenticated user. On some other sites it might mean your administrators have access to do everything but in a very specific and controlled way that you’re able to basically audit and keep an eye on so that they’re – you can ensure that they’re only allowed to do what you actually want them to do.

Here are a couple of examples of kind of the core, very important and kind of risky permissions to give to your general users. So this is obviously administering permissions, administering users, administering filters. So filters are how Drupal will output text in a sanitized manner to the web. So those are definitely a place to watch out for. There’s also the content type permissions and site configuration but there’s also several contributed modules that just about every Drupal site has installed. So that’s Views, that’s CTools, and inside of those there are some rather important permissions to kind of keep yourself informed of and be aware of and kind of monitor those things on an ongoing basis. The kind of final tenant of trust is ensuring people have strong passwords. It says administrators here but I really think it’s people in general. Administrators obviously have more access to do anything to the website but more often when attacks do happen, they happen because a malicious user is finding one vulnerability and then using several other vulnerabilities to either do something or do something more malicious by getting further access to the websites through bad passwords or what have you. You can look to breaches on say, Adobe or Sony or even on Drupal.org to kind of exacerbate that issue.

So let’s talk about best practices and what we can do. Kind of the most important thing you can do is just stay informed. Drupal.org has pretty advanced policies for dealing with security releases. Generally that’s every Wednesday. Actually Ben, Cash, and I are all on the security team so we are kept abreast and involved in these issues and work to get the schedules out or the releases out. Your install of Drupal has a built-in check for updates. So if your site is regularly checking for updates and configured properly to check for updates, you’ll see that your modules are out-of-date or there has been a security release. It should stay on top of those and make that a regular part of your release cycle. There are two Twitter accounts. So you can follow @drupalcore and @drupalsecurity to follow release announcements. There’s also a mailing list that you can subscribe to that will send out the same security advisories that you’ll see on @drupalsecurity. When these releases do come out, it’s really important that they be applied to your site and tested in a manner that fits with your organization’s workflow.

So the update process, what does that look like? At Acquia we provide three tiers of protection basically for testing changes to your site. So when an update comes out, you don’t have to just go and directly apply it to your production site and kind of hope that it doesn’t break everything or I’m sure that your change control process people are not going to look forward to having some downtime on your site. So we suggest definitely running updates in Dev or Stage and then vetting them and then applying them to your Production Tier. Drupal makes this really easy to do through Drush. If you’re not familiar with Drush, please Google it. It’ll save you a ton of time. So once you’ve committed your changes with version control system and hopefully you are using version control system, you are able to run updates then you can do your vetting and testing and really quickly and easily deploy it with your version control system and with that I’m going to hand it over to Cash.

Cash Williams: Awesome, thanks guys. So we’re going to shift gears ever so slightly here and kind of talk about maybe not as Drupal specific but just best practices in general. This is probably I assume where a lot of people’s eyes would be rolling, right. We all know we need to make backups. However, backups is just the first step. David and I are both security consultants and we work with customers quite a bit. So a lot of what I’m going to talk about is driven from actually seeing customers run into these problems firsthand. So I think this is a quote and if it is, I don’t know where it came from but I use it often. Not just with respect to backups but with anything really but if it isn’t tested then it doesn’t work. So it’s one thing to say, “Yes, we make backups. We have daily backups.” It’s another thing to say, “We actually know how those backups work. We know that they do work and the process of restoring a backup is easy.” So if we go back to say the Target incident, a data breach isn’t necessarily the type of attack that we’re talking about here. This is more if someone deletes your database through a SQL injection or defaces your website, how quickly can you get that problem corrected? So backups can kind of be our “Get out of jail free” card in this case, right? In order to use this as our “Get out of jail free” card we have to ensure that the process end to end is both tested and documented.

So a question that I’d like to ask clients is, how complicated is the process of restoring a database? It’s a multi-step process that has a lot of moving parts and a real world of it happens where, let’s say that your website is defaced and you’re under pressure or multiple people are moving quickly to try and get the website back up. It’s easy to make mistakes, right? So if possible, it’s best to automate as many things as you can. If running your restore is a simple click of a button versus some 10-step process, it’s going to be much more successful. The next question is: is everything documented? If Bob is you DBA and he knows how to do a restore right off the top of his head, what happens when he goes on vacation? You have to make sure that anyone that may be filling in for a position can easily step in, find the documentation as needed, performs a backup and know which backup to restore and how to do the process. Another thing that I run into a lot of times is there can be some technical barriers to performing this. So if someone knows how to perform the process but doesn’t actually have the account or the credentials to do so or can’t find the log in, can’t get access to the backups if they could, all these things have to be fully documented and have a plan in place to be able to perform this. Then just going back to the testing nature of it, this should really be tested regularly. I think it came out a couple of years ago, Netflix shared with us that they have a process running in their data centers called, I believe Chaos Monkey. What Chaos Monkey does is runs around on their data centers and breaks things on purpose, right? So if anybody is developing any piece of a system, they know that Chaos Monkey could break it at any point. This kind of holds developers and system administrators accountable to know that all their systems have to be tested.

So another common way to refer to this is a fire drill. So it’s important to run a fire drill every now and then and actually test to restore. See what it looks like. Then to the next point is how long can this take and the only way to know is by testing it. If your site is defaced and a manager walks in and says, “How long is it going to take to get this back up?” It’d be great to have a very specific answer and say, “In 15 minutes, the site will be restored and we’ll be back where we were yesterday morning. The other piece of this is logs. Again, going back to kind of what I’ve seen firsthand, a lot of sites actually don’t have logging enabled because at one point someone declared that it may be a performance impact if the site’s logging too many things. So maybe they unchecked the database log that comes in Drupal but forgot to enable the system log that comes with Drupal or they just turned them off completely because production ran faster without them. So without logs you can actually get access and see what your system was doing at any given time. The other issue is a lot of times a site will have a lot of warnings. If this is because it’s either developed poorly or misconfigured to be a little too verbose in the logs. There’s actually so much noise in the logs that it’s not very useful. If something does happen or even if you’re just trying to debug something and the process looks like – well let me go manually find the logs from two days ago and download an 80 Megabyte zip file and then I’ll need to map out all of these warnings so that I can even see what I’m looking at. Now I can try to find the timestamps for – this is already just way too busy and it’s not very effective. So it’s important to fix all of the errors and warnings and make sure that your logs contain what you need to know and only what you need to know. A good way to do this too is aggregating used systems. If you have multiple web servers, it doesn’t make sense for each of them to have their own log. They should be aggregated across all the web servers so that you can really see what an attack looks like from a whole against your site not just specific servers.

So hopefully this kind of rings a bell in some people’s mind especially in America. I don’t know what our demographic of the audience looks like but there’s a public service announcement that used to go out at 10:00 PM and it said, “It’s 10:00 PM, do you know where your children are?” I found it kind of laughable that we think we need a TV or public service announcement to remind us to look for our children but I have to figure that they did it for a reason. So in this case, “It’s 10:00 PM, do you know where your data is” or are for the mean there? The reason I ask is sensitive data can be littered across your system both in the code and in the database. So it’s important to track and know where all of it lives. So again, back to questions I like to ask clients is: do you have a list? Do you know where all of your data is? You should ensure that it’s not in the repo, right because a lot of people say, “Okay. Well our repo is hosted on GitHub. It’s a private repo. It’s protected. We feel like it’s safe to store sensitive data there.” Examples of this could be AP ITs, system settings, usernames, and passwords. So the problem here is if a year from now, you bring on and hire a consultant such as myself to come and audit your site and you just hand over repo access. So there could be the chance that your repo has hard coded AP ITs. It could also be the chance that you realize this and sort of remove them but are they still in the history? If I did a checkout and backed up to three years ago would I find valid sensitive data that’s still in there? I’ve heard of a couple of used cases where this happened where, I think it was something like a test needed to log in as user number one or the administrative user. The username and password was hard coded into the test and it was available in the repo. The other side of this is what’s not in the repo will be put in the database. It’s very important that all non-production systems be sanitized. Typically non-productions like Dev and Stage are held to a much less security standard because they’re not production, right? As well as - well you know, something a lot of people think about is developers’ laptops. The typical onsite, onboarding process for a consultant is you get access to the repo, you download that and then you get a copy of the databases and you can spin the site up locally. More than once I’ve looked through my local database and realized that I had some very sensitive client data that A, I don’t want to have and B, the client probably doesn’t want me to have. So there are things to think about is if I chose to be malicious and leak this data or if I didn’t do a proper job of securing my own personal laptop or let’s say that it got stolen at the airport, what does that mean to the client as far as where their sensitive data goes. So another thing I like to say is what if I leaked your production database today? How big of a deal would that be? One of the ways to protect against this is encryption. So if anything is in production that you don’t want to be known public, you should encrypt it. Drupal offers a couple of different contrib modules to encrypt data fields, user input and these kinds of things. So when we look at this as a whole this means that we could encrypt the data but the AP IT should not be in the repo, nor should it be on the database. So you have to think of these things as multiple levels and this comes back to the defense in depth that we’ve kind of touched on earlier but it’s just the whole picture of where all your data is and where it lives.

So thereabout wraps it up for this just to kind of recover the principles that we’re kind of touching on today. Don’t trust user input and think of user input can be anything coming from the user not just a simple field or form they can fill in. How to stay up-to-date? It’s important to stay up-to-date. The different ways that Drupal offers, users to know what’s going on. What the contrib and course space as well as defense in depth and best practices to keep up with those. So here’s just a few links and resources, if you want to look into and do more research on them. Ben mentioned the Drupal Security Report and that’s at drupalsecurityreport.com. Drupal.org has quite a few resources available and here’s just a few: drupal.org/developing/best-practices specifically calls out best practices when you’re creating custom code, drupal.org/security/secure-configuration calls out best practices when you’re configuring and site-building your site and again, drupal.org/writing-secure-code is another reference for how to write secure code when you’re creating modules.

Just to kind of set a reminder, the three of us will be providing hands-on training at DrupalCon in I think about a month, June 2nd. If you register by May 2nd which is, I believe this Friday, I don’t know my dates very well. You can save $75.00. Great, thanks. Our contact information is up here and I think I’ll hand it back to Hanna. So we can open up for some questions.

Ben Jeavons: Thanks, Cash. While we get ready to take questions, I just want to demo really quick a module that helps do some automated configuration analysis. So it gets a little bit further than what we talked about today and it’s recommended as a part of your process for securing your site. So the security review module is a module that’s available on Drupal.org that provides automated configuration analysis at several of the things on your Drupal site. So here we’re looking at the page showing the results and it’s a quick process to run the checklist. The checklist checks a number of different things in Drupal Core and some of the popular contributed modules. So for instance, one of the things we talked about was user input. The security review module will look and see if there are dangerous tags in any of the submitted content of your Drupal site. So for instance, here I have an article that contains JavaScript that security review module is flagging as potentially malicious. This is a local development Drupal of mine for testing. So in this case, I explicitly put in this JavaScript. We can also see some of the other checks that this module provides. For instance, when we talked about admin permissions the security review module also checks whether any of those administrative or secure permissions have been granted to untrusted users. You can configure on your site what type of user is trusted or not whether that’s anonymous users or if visitors can sign up for accounts in your site. So for instance on my local development site here, I have given the anonymous user the permission to access development information which is a permission via a contributed module but is not recommended for untrusted user use. This module is available on drupal.org/projects/security_review.

Moderator: Awesome. I know you had some questions come in. So we can start taking those now. If you have any additional questions, please ask them in the Q&A section. [Pause] The first question is when these updates come out, I never know what to test to check for things that might have been broken by an update. Can these sort of suggestions be added to bug reports?

Ben Jeavons: Thanks for that question. So when security updates are put out for Drupal Core or contributed modules, yes they often point out to specific vulnerabilities but it’s not clear exactly where those vulnerabilities happen and what effects that those vulnerabilities might have on your site. So could that information be added to the bug report is the question. That information can be added to some extent but it often really depends on how your website is built to decide like in which cases that vulnerability might apply or that vulnerability might be exploitable. So for something like Drupal Core oftentimes that functionality that might have a security issue is pretty common place. So that might be, for instance file uploads there that previously were not there in a Drupal Security Core release. There is an issue where file uploads could be exploited depending on certain I think Apache versions. So if you didn’t have file uploads, you’re probably not vulnerable to that attack. In cases of the security advisories for contributed modules, it gets a lot more difficult to recommend very specific ways or very specific things that you need to do to check. So my recommendation, at least to start for now, is to think about what are the main goals of your site. What are the business goals of your site and to document those goals and specifically how those goals are accomplishable on your Drupal site? So for instance if you have an e-commerce site, obviously you would like to make sales possible. You would like to allow user to purchase products and complete a successful transaction. So you might document that process and then when a security update for Drupal Commerce or for Drupal Core or other modules involved in that process come out, you can just step through that process, your goal and make sure that it’s still achievable. Furthermore, you can then adapt that into an actual automated test through things like Selenium or other forms of automated behavioral testing and then as for just the general idea of can it be added to bug report? It can, yes but that would be a process that I’d recommend going through the Drupal.org web masters process for getting that potentially added to security report. Thank you.

Moderator: Awesome. The next question is, what is Acquia’s recommendation for PHP version for Drupal 7? Drupal.org currently recommends PHP 5.3. However, it’s reaching the end of life and security fixes will end in July 2014.

Ben Jeavons: Sure. Thank you for that question. So I think as offering this forward, there’ll be some continued support for the current supported versions of Drupal so for instance PHP 5.2. So our recommendation going forward is to stay with the supported versions of PHP, so for instance 5.3, 5.4 and beyond.

Moderator: Awesome, alright. The next question is, are there any recommended automated tools to parse accounts newly created also that can parse from non-strong?

David Stoline: Yes, there are a couple of great modules for doing exactly that kind of thing. So on automated tools to parse new accounts. So my first thought there is the Mollom module. What that does is it’ll check the text that a user enters for kind of known spam vectors and can either deny that account being created or put it into a moderation queue. On the parsing for non-strong passwords, there are several modules actually and we recommend the Password Policy module which allows an administrator to basically configure length requirements and special character requirements and even history requirements around what passwords get configured by the users. So you can’t just go in and put like asdf or password or qwerty or kind of any of those low value, weak passwords.

Moderator: Awesome. The next question is, can passwords be moved to a separate database from the main Drupal database?

Cash Williams: I don’t know if Ben or David know of a way to do it specifically for Drupal but Drupal accounts can definitely be created and stored in other places. A lot of Enterprise clients have LDAP servers or active directory servers that are set up and so the passwords are stored there. More social media facing sites actually use external authentication either through Janrain or directly through things like Facebook Connect or Google Authenticator. So in these cases the passwords aren’t even ever in Drupal.

Moderator: Great.

Ben Jeavons: I would follow that up just by asking if under what conditions would you want to move the passwords out of Drupal because instead of separating that, you could just further increase the security of the encryption of those passwords. That’s part of this idea of defense in depth. So with Drupal 7 passwords are repeatedly hashed and stored much more secure than in Drupal 6. Going forward you can actually change the encryption mechanism and also some of the other details around the way the passwords are still unencrypted which certainly allows for that risk if something like a database was extracted from your Drupal site.

Moderator: Great. The next question is, are you aware of a module to provide Drupal’s install with two factor authentication?

Cash Williams: Ben, do you want to take that one?

Ben Jeavons: Sure, thanks Cash. So very recently I did work on a new two factor authentication module which aims to support a variety of different two factor authentication mechanisms. So for a while there have been some Drupal modules that provide very specific two factor authentication support, such as support with Google Authenticator which is a two factor authentication service very similar to Duo. So those all exist currently as individual features. Now there is a TFA module which works to fully support Drupal authentication and is well tested and will support individual plug-ins for those variety of services such as SMS delivery for instance or a TOTP type code like Google Authenticator and that’s on drupal.org/project/TFA. Thank you.

Moderator: Awesome. The next question is, do you have any examples of contributed modules that facilitate encryption?

David Stoline: There are two primary sort of leading modules. The AES modules, it’s specifically allows for using AES encryption. As well as the Encrypt module which is more of a plug-in style and allows for a couple of different options. I publicly put the link there. It’s kind of obscure but it’s on drupal.org. There is a comparison of the two modules. I can post it in the primary chat as well.

Moderator: Awesome. The next question is, is it secure to use Pressflow instead of Drupal Core?

David Stoline: So for those of you who don’t know what Pressflow is, Pressflow is a Drupal 6 – I think it’s a spoon not a fork. So it’s a very focused distribution of Drupal that is really around performance and scalability for Drupal 6. So on the security of Drupal Pressflow, really it is secure. It doesn’t have a formal process that drupal.org has around security releases. So there is a little lag time between when a Drupal 6 security release happens and when Pressflow will pick it up I’ve noticed in my experience. So that is maybe a thing to be careful with is just when a core release comes out maybe attempt to patch core yourself. So patching your Pressflow installation yourself or even providing a patch that the community can use and vet on the Pressflow’s GitHub page would definitely be helpful.

Moderator: Great. The last question is any significant improvements to the security environment in Drupal 8?

Ben Jeavons: Yes, great question. So some of the improvements that I can think of off the top of my head, one of the biggest ones is the PHP Input Format module. That’s been removed. So in Drupal 6, actually prior to Drupal 8, all versions of Drupal shipped with a module that actually allowed the execution only under certain configuration of PHP code through the Drupal user interface which certainly is a security risk. The reason that they did existing prior versions of Drupal was just that there were cases where in the development stages that that was beneficial at times but that’s now been removed from Drupal Core. That’s a great one and a secondary one, a security improvement in Drupal 8 is there is now cross-site request forgery token support actually built-in to the Drupal menu system. So while we didn’t dive in to the vulnerability of cross-site request forgery, one of the ways to secure against it is the use of tokens. In prior versions of Drupal that happened to be an issue in some cases. So now Drupal 8 has better built-in support for that specific case, for cross-site request forgeries. David, Cash I’m not sure if you have other recommendations that you’ve seen in Drupal 8?

Cash Williams: The only other ones – a large one I would say is switching from PHP template being the engine that renders our themes to the twig engine. It’s much more locked down, if you will and reduces specifically cross-sites – CSS, what does that stand for, or XSS – cross-site scripting but also I’m sure reduces the cross-site request forgeries as well. I’m not super familiar with Twig. I haven’t gotten too deep into it but I know it’s much less likely for a themer to accidentally open a vulnerability than as easy it is to do in PHP template as it is today.

Moderator: Alright. A couple of other questions trickled in, what backup systems are out there for easy recovery especially if the database is MySQL?

David Stoline: So I can take that one. There’s actually a lot and I’ve used at least several of the toolsets that are out there. One that’s really simple that I really like is just to kind of doing it by yourself. So MySQL has a great MySQL dump command and it’s pretty trivial to set up like a daily cron job or an hourly cron job to just dump the database to some location on the file system or dump it to like an S3 bucket or something like that. There’s also kind of a script on top of that whole process called – I think it’s AutoMySQLBackup which I’ve used to great success in the past too. It’s largely the same; it’s cron based. It’s basically dumping MySQL dumps to some place. So it’s great but there’s a ton of products in this like MySQLBackup space. So it’s really just kind of a discovery process in what your organization is willing to do or willing to invest.

Cash Williams: I think it’d be great to mention as well. Acquia’s hosting comes with tools dedicated specifically to this process. So you get environments for Dev, Stage and Prod out of the box and all three have dedicated backups. A matter of creating a new backup is just a click of a button as well as restoring a previous backup is just a click of a button.

Moderator: Alright. I think that’s it for question. I want to say a big thank you to Ben, Cash, and David for the wonderful presentation. Maybe you want to end with anything else?

David Stoline: I’ll just say don’t forget if you’re coming to Austin to sign up for our training. It’s a whole day of the three of us in a room together talking about Drupal Security. So if you are able to register this week you’ll save $75.00 on the cost of the training. So hopefully we’ll see you guys in Austin.

Moderator: Awesome. Thanks everyone for attending. We’ll send out slides and recording within the next 24 hours. Have a great afternoon.