The Challenge of Keeping Software Up to Date, and What Happens if You Don't
by Al Nugent
The public release of client records hacked from a Panamanian law firm’s web site have led to headline revelations that heads of state and public figures allegedly took advantage of Panama’s banking secrecy laws to hide their assets. According to a report published at Forbes.com, the law firm’s site alleged to be the source of the leaked information, ran on Drupal -- specifically a site running an old, unsecured version of Drupal 7 (any version prior to 7.32.) The site had been left unpatched for over a year despite warnings in late 2014 by the Drupal.org’s Security team that all sites should be upgraded and patched to plug the old version’s weaknesses. Every web application needs to be regularly updated and patched to help ward off known security attacks and vulnerabilities. Apparently, this law firm’s site was unpatched and therefore vulnerable for a very long time.
Known as the SA-CORE-2014-05 SQL injection -- the flaw was announced by the Drupal Security team and then mitigated in October, 2014 by Acquia for its more than 4,000 customers running on the Acquia Platform. We also helped our customers who do not run on our platform, our “remotely administered” clients, update their sites quickly resulting in no interruptions in service or breaches for Acquia’s clients. In a post titled, “Shields Up!” Acquia’s Director of Research and Development Moshe Weitzman described how Acquia developed two solutions to shield its customers from possible attacks, as well as insure those customers remotely administered by Acquia were protected and upgraded as well.
Software security is a difficult, constant challenge that requires vigilance and constant communications with one’s vendor or open source project’s security group. Taking security for granted, or assuming it is being handled by someone else or via automated updates is a recipe for disaster. Securing frameworks like Drupal (or Wordpress for that matter) is hard, but thanks to the power of the open source community, flaws are often quickly detected and patched. At Acquia we take security extremely seriously and take pride in our certifications for security compliance and our record of assisting customers keep their sites current with the latest patches and upgrades. Our vigilance helps maintain peak performance during DDOS attacks or other malicious attempts to degrade performance or even take them offline altogether.
No solution is “unhackable” but sites that are hosted on a “do it yourself” basis, even on a purportedly “secure” cloud service may be more susceptible to breaches. Ultimately those who decide to self-host only have themselves to blame when known security vulnerabilities go unpatched; or application code, because of inattention or the lack of a dedicated support team such as Acquia’s, becomes compromised.
Our Remote Administration service provides expert Drupal site maintenance, rapid response to security issues, and allows a web application team to focus on development and not day-to day administration. Our team provides:
- core security updates proactively
- Module security updates proactively
- Module installation and configuration
- Weekly scans and automated updates
- Premium RA clients can request bugfix updates as well
- Creation and modification of views and content types
More information about Acquia’s Support and Remote Administration services can be found within the documentation in the Acquia Help Center.