jdwalling's picture

Got Security?

greggles's picture

Discussion for RCE in Contrib PSA and announcements


Based on a lot of discussion, especially in this thread, the security team adjusted the way we announced the most recent contrib module releases.

  • We did a psa 24 hours in advance and named the time of the release
  • The PSA (after editing, whoops, should have been in the initial version) included the number of installed sites roughly
  • We have a security scale and could specifically say how critical the upcoming issues were
  • We used twitter to talk about it as well
Read more
greggles's picture

Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

  1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
Read more
deepanjali's picture

Security service provider

Hi, I am looking for recommendations for good, reliable service providers who can keep our website up to date in terms of security and deal with malware, attacks, etc. We do not have tech people on our team so they would need to take care of everything. We use a dedicated server with Bluehost and our site is currently deactivated due to malware.

Read more
kpyan8s's picture

Drupal Core Security Advisory SA-CORE-2015-003

According to Drupal Community, Drupal 7.39 was released on August 20, 2015 which contain fixes for security vulnerabilities.

Sites are urged to upgrade immediately after reading this security announcement.

Read more
greggles's picture

Updating "criticality" levels to match scores

A while ago, after a lot of great research and work (mostly by Michael Hess), we rolled out a new style of scoring individual security advisories. The system is based on NIST's scoring at

For example, a recent issue had a "score" of
7/25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

The score and coding is meant to explain the risk, but it's rather cryptic.

To try to be more "human friendly" we also still say things like "Highly Critical" and "Less Critical" and "Not Critical".

Read more
greggles's picture

Security Crowdsourcing: Bugcrowd, Hackerone, Synack, CrowdCurity

I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.

What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?

Read more
greggles's picture

Drupal Security BOF at Drupalcon Los Angeles


There will be a birds-of-a-feather (BOF) gathering at Drupalcon Los Angeles on Tuesday, May 12th at lunchtime (11:45am-1:00pm) in room 410. There's no specific agenda, we'll talk about things that people in the room want to talk about. It should be fine to get lunch first and bring it to the room (if someone says no, surely it will be possible to engage in a little social engineering to convince them it's OK!).

It seems useful to talk about just about anything. Some things that I can imagine we might cover:

Read more
klokie's picture

Hackarattack mot Kammarkollegiet

Såg ni den här?

Hackarattack mot Kammarkollegiet - DN.SE

Kammarkollegiets webbplats har utsatts för ett dataintrång. ... drivs med en gammal version av webbsystemet Drupal, som enligt webbplatsens egen dokumentation inte har uppdaterats sedan april 2013.

Read more
joverstreet001's picture

Drupal Administrator | CGI Federal

Employment type: 
Full time

Hello All:

If interested, please feel free to contact me with questions and/or
email me a resume. I am on the team that this job opening is
for; looking to fill this quickly.

CGI Federal is looking for a LAMP-stack administrator to support and
create middleware environments in large data centers. The
administrator will be responsible for helping to architect, implement, and
troubleshoot highly visible and high traffic Drupal environments on
both cloud environments and on-premise virtual machines. Applicant
will be responsible for working with internal teams, clients, and

Read more
Subscribe with RSS Syndicate content