security

Events happening in the community are now at Drupal community events on www.drupal.org.

Drupal 7 and 8 core critical release on April 25th

Posted by tsega on April 23, 2018 at 7:16pm

Another core security release coming in only two days. Be sure to update both your Drupal 7 & 8 sites. https://www.drupal.org/psa-2018-003

Read more
Categories: , ,

Got Security?

Posted by jdwalling on October 5, 2017 at 3:20am

Discussion for RCE in Contrib PSA and announcements

Posted by greggles on July 13, 2016 at 9:24pm

Hi!

Based on a lot of discussion, especially in this thread, the security team adjusted the way we announced the most recent contrib module releases.

  • We did a psa 24 hours in advance and named the time of the release
  • The PSA (after editing, whoops, should have been in the initial version) included the number of installed sites roughly
  • We have a security scale and could specifically say how critical the upcoming issues were
  • We used twitter to talk about it as well
Read more
18 comments Categories:

Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days

Posted by greggles on October 11, 2015 at 2:05pm

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

  1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
Read more

Security service provider

Posted by deepanjali on September 12, 2015 at 4:05am

Hi, I am looking for recommendations for good, reliable service providers who can keep our website up to date in terms of security and deal with malware, attacks, etc. We do not have tech people on our team so they would need to take care of everything. We use a dedicated server with Bluehost and our site is currently deactivated due to malware.

Read more
2 comments Categories: , ,

Drupal Core Security Advisory SA-CORE-2015-003

Posted by kpyan8s on August 26, 2015 at 2:18am

According to Drupal Community, Drupal 7.39 was released on August 20, 2015 which contain fixes for security vulnerabilities.

Sites are urged to upgrade immediately after reading this security announcement.

Read more

Updating "criticality" levels to match scores

Posted by greggles on June 17, 2015 at 9:00pm

A while ago, after a lot of great research and work (mostly by Michael Hess), we rolled out a new style of scoring individual security advisories. The system is based on NIST's scoring at https://t.co/Pvhzn9CHP2

For example, a recent issue had a "score" of
7/25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

The score and coding is meant to explain the risk, but it's rather cryptic.

To try to be more "human friendly" we also still say things like "Highly Critical" and "Less Critical" and "Not Critical".

Read more

Security Crowdsourcing: Bugcrowd, Hackerone, Synack, CrowdCurity

Posted by greggles on May 20, 2015 at 8:51pm

I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.

What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?

Read more
Categories: ,

Drupal Security BOF at Drupalcon Los Angeles

Posted by greggles on May 7, 2015 at 2:57pm

Hello,

There will be a birds-of-a-feather (BOF) gathering at Drupalcon Los Angeles on Tuesday, May 12th at lunchtime (11:45am-1:00pm) in room 410. There's no specific agenda, we'll talk about things that people in the room want to talk about. It should be fine to get lunch first and bring it to the room (if someone says no, surely it will be possible to engage in a little social engineering to convince them it's OK!).

It seems useful to talk about just about anything. Some things that I can imagine we might cover:

Read more

Hackarattack mot Kammarkollegiet

Posted by klokie on January 30, 2015 at 12:21pm

Såg ni den här?

Hackarattack mot Kammarkollegiet - DN.SE

Kammarkollegiets webbplats har utsatts för ett dataintrång. ... Kammarkollegiet.se drivs med en gammal version av webbsystemet Drupal, som enligt webbplatsens egen dokumentation inte har uppdaterats sedan april 2013.

Read more
Categories: , ,
Subscribe with RSS Syndicate content

AltStyle によって変換されたページ (->オリジナル) /