Home / Comment permalink

How Drupal and Acquia Help Protect Against Web Attacks

Security, or lack thereof, seems to be a popular theme these days, especially as it applies to web applications and even more specifically to open-source CMS. Earlier this week, Mathew Schwartz from InformationWeek wrote an article, Web Applications See Sharp Rise in Attacks, in which he referenced the latest HP DVLabs "2010 Top Cyber Security Risks Report" that brought into question the security of open source CMS applications.

The idea that open-source is also an open-door for would-be attackers is a common misconception. Think about it, if having two pairs of eyes looking at code is better than one, how much better are hundreds of pairs of eyes looking at code and ferreting out would-be vulnerabilities. DoD CIO, David Wennergren issued a memo, Clarifying Guidance Regarding Open Source Software, in which he states, "The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts…"

This is exemplified by the Drupal community with its active group of coders and researchers finding and fixing bugs all the time. And the Drupal community takes site security very seriously.

The Drupal security team is busy responding to security reports for 8300 Drupal modules written by over 5000 developers. With documented resolution processes and a full-disclosure policy, the security team does more than just post patches to drupal.org. The team resolves reported security issues, provides assistance and documentation for module maintainers in resolving issues and writing secure code, and once issues have been resolved - not before - do they notify users. The Drupal security team's transparency about identified security issues demonstrates over and over again the responsiveness of the team.

But from a site owner's perspective, trusting that Drupal is proactively monitored and maintained is only part of the battle in ensuring site security. The onus is still on the site owner to respond to notifications from the Drupal security team. This is where having a trusted partner, such as Acquia, can help you to mitigate potential security issues and the Acquia Cloud goes above and beyond with a number of techniques to make hosted sites as secure as possible.

Remote Administration simplifies your Drupal update and maintenance efforts. Acquia’s Drupal support experts spearhead the task of keeping your site up-to-date with the latest security patches and bug fixes to any modules installed on your site. Acquia’s support experts continually ensure your site maintains the highest possible level of security and respond quickly when new vulnerabilities are identified.

The Cloud environment takes advantage of industry leading cloud computing platforms to provide the highest levels of security. Built on Amazon Web Services (AWS) to deliver enterprise-class security on a SAS70 certified platform, the Acquia Cloud is able to ensure your data is protected by industry standard operational and security controls at all times. It uses trusted, secure *nix style permissions to isolate services, it isolates each customer in their own Virtual Machine and uses policy based configuration management to ensure that systems' configurations are within policy and aren't intentionally misconfigured. Acquia even goes one step further to use security tools - such as the security review module - to look for, and subsequently remedy, common security misconfigurations.

The Acquia operations team maintains the infrastructure to protect data with automated security monitoring, automated backup and data retention, breach notifications, and support for SSL certificates. And in the event that your Drupal site is compromised it cannot write to disk and change its own code since the Acquia Cloud isolates the Apache web server and PHP code.

Through the Acquia Network, both business and technical contacts for your site can subscribe to receive Drupal security notifications to ensure security updates are applied. Acquia's client advisors will apply security updates to a staging environment first to test for any updates that might negatively impact your production site.

If you really don’t want to be bothered with any of this, there’s Drupal Gardens. With Drupal Gardens, there's nothing to install and no servers to manage. Drupal Gardens is built on the latest, state of the art Drupal 7 release and will be updated with security patches as they become available. We take care of everything on the backend so you can focus on building great sites.

So although all software has some inherent security risk, the idea that open-source, and in particular CMS are more vulnerable seems somewhat unfounded. It's extremely rare that software gets written from scratch that is free of vulnerabilities; this applies whether the software is proprietary closed source, or open source. The difference between open and closed source is that open source is more likely to be scrutinized and checked by many people - other coders, security experts, and even technical end-users - for security flaws. Which means there is a higher likelihood that any vulnerabilities that exist will be found, reported, and fixed. The reality is, when it comes to security, you need to be on your toes, but with a community of developers and managed enterprise-class hosting solutions behind your Drupal site, you can feel confident that its secure.


Posted on by David Rothstein.

"Through the Acquia Network, both business and technical contacts for your site can subscribe to receive Drupal security notifications to ensure security updates are applied."

It's important to point out that the Acquia Network security notifications are built on top of a robust security notification system in Drupal itself, one that is available to every Drupal site whether supported by Acquia or not.

The Update Status module in Drupal 6 (renamed to Update Manager in Drupal 7) that ships with Drupal core allows you to configure your site to automatically e-mail you whenever security updates are available for any of the specific modules you are using on your site (provided the modules have stable releases on drupal.org; as per security team policy, alphas/betas/release-candidates/etc. don't go through the security advisory process).

This feature is an extremely valuable part of Drupal's overall security framework, since it allows you to get timely security notifications tailored to your own particular site that tell you when that site has updates you need to apply.

The Acquia Network notifications are important too, of course; they're built on top of the core Drupal framework and provide additional information about security updates for sites that use the Acquia Drupal distribution of Drupal. If you're using Acquia Drupal, you'll likely want to enable both kinds of notifications.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Use [acphone_sales], [acphone_sales_text], [acphone_support], [acphone_international], [acphone_devcloud], [acphone_extra1] and [acphone_extra2] as placeholders for Acquia phone numbers. Add class "acquia-phones-link" to wrapper element to make number a link.
  • To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <h4> <h5> <h2> <img>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.