Drupal is a huge software project by any measure, with thousands of developers writing code for it and deploying websites and applications on it. Alongside Linux, Apache, and Mozilla, it is one of the largest open source projects in the world. This infographic helps explain the important work of Drupal's Security Team.
Who needs protecting and why? How the world's largest open source CMS combines openness and security.
Drupal has gone from dorm room to board room in decade since its creation. It powers the web presences of hundreds of thousands of businesses, governments, universities, and others around the world. Developing code for Drupal now means writing code that could be used on any of those sites. Whether it comes from passionate hobbyist or full-time professional, Drupal's code must meet the very strict security requirements of banks, health-care providers, and governments, while keeping one step ahead of those trying to break into such systems.
Security and open source go hand-in-hand
Drupal's security process does need to be carried out quickly and discreetly to help fix problems before they become widely known or exploited. Nonetheless, security and open source go hand in hand – this may come as a surprise to those who assume that "security by obscurity" actually works. Hiding behind proprietary licensing or compiled code and hoping no one notices security flaws that have not been addressed is a recipe for disaster. Having your code open to anyone can result in greatly improved security – anyone can find and fix a problem. Working with a community of thousands of developers multiplies the benefits; anyone else's bug fix becomes your fixed bug, too. Security experts from the world's governments and largest companies regularly scrutinize Drupal's codebase for themselves and have judged it secure enough for their mission-critical applications.
Work begins before security issues arise – proactive security awareness
Insecure code is usually flawed from the start. There are best practices that developers should follow to nip the vast majority of security problems in the bud. For this reason, the Drupal Security Team tirelessly spearheads ongoing efforts to educate and help the Drupal community prevent security issues from arising. They conduct presentations and training at Drupal community events and conferences, give webinars, write free online documentation, and maintain a public group to discuss Drupal security-related issues.
What is supported? Drupal core and stable release modules
The Drupal Security Team assists in handling the vast majority of security issues across the Drupal project and its contributed, plug-in modules. Modules with "development" releases are an exception; modules without a supported stable release ("1.0", "2.1", etc.) cannot receive the benefit of the Security Team's oversight. If you are considering using a module with only "development" or “beta” releases for a critical application, encourage the module's maintainer to create a stable, supported "x.0" release.
About the Drupal Security Team
The Drupal project formalized the existence of its Security Team in 2005 and rotates team leadership periodically. Code doesn't usually "suddenly become insecure", but some issues can be subtle and hard to spot. The rise of new technologies can make problems visible in new ways. A great deal of skill, knowledge and experience goes into making Drupal as secure as possible. The Drupal Security Team is now a mature, diverse group, currently comprising around 40 of the world's leading web-security experts (none of them robots, despite their skill and efficiency). They monitor and analyze problems that crop up "in the trenches" and work to improve the security of the Drupal project. Members of the team are dedicated volunteers from countries across 3 continents, including residents of Belgium, Canada, England, France, Germany, Hungary, Ireland, Japan, and the United States. The team draws members from consultancies, Drupal service providers, government contractors and Drupal's end-users, including non-profit, for-profit and education organizations.
The Security Release process
If your Drupal site is hacked or defaced
Help prevent this unfortunate occurrence from happening to others! Though unable to assist in individual cases, the Security Team would like to hear about your experience, in order to better protect the Drupal community as a whole. You can use the template at the page "My site was defaced. Now what?" to let them know what happened.
For more in-depth information, read the Drupal Security Report at http://drupalsecurityreport.org.
All current security advisories as well as information on how to subscribe to the Drupal security newsletter, contact the security team, and more are listed at http://drupal.org/security.
Our thanks goes out first and foremost to the volunteers on the Drupal Security Team. We deeply appreciate your dedication to Drupal, our security, and a well-functioning web.
Special thanks to Greg Knaddison, Drupal Security Team Lead, for your insight and help getting all this right!
Thanks also to mogdesign and Acquia for helping explain this complex and important process.
Spread the word
The infographic "Keeping Drupal Secure - Ten steps to a Drupal Security Release" is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Download it and spread the word.
Original appearance on acquia.com.