As your website becomes more valuable to your organisation you will need to take greater steps to keep it secure. If you are a jeweller it is probably a good idea to at least put some shutters over your windows when you close the shop (and if you have really big diamonds, you put them in a really big vault). Your security effort needs to be in line with this principle. The higher the value of your digital asset, the higher the effort to protect it. Drupal like any other CMS is much the same.
High value digital assets deserve a high level of protection. With Drupal there are things you or your agancy HAVE to do, this should not be optional, it has to be done.
So what are these things that I HAVE to do I hear you ask?
Two words, guaranteed to ruin a Drupal developer's Wednesday evening.
October 21, 2015 at 7:16pm saw the release of Drupal security update: DrupalCore - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004. In this particular case the developer would probably have thought: “phew, not too bad” as the security risk associated with this update was 'Less Critical' and mainly more annoying rather than anything else because it affects website administrators when logged into the website in a particular way and nothing else really. Nevertheless, good security practice states that security updates regardless of status are implemented as soon as possible. This is for a very good reason because there is only one way to “do” Drupal security and that is to do it properly.
There is often a very simple way to check if and when the last security update was performed on a Drupal website. I must add, this method does not always work because the site/server administrator can (and arguably should) prevent prying eyes from being able to see this detail. Take the URL of a Drupal website, (www.drupal.org for instance), add /CHANGELOG.txt to the end of the URL like this: www.drupal.org/CHANGELOG.txt and hit enter/return. You may be able to see when the last security update took place. In the above case 2015-10-21
The Drupal security advisories provide useful information on how to apply fixes for the relevant vunerabilities. However, it's crucial to understand that in the wrong hands this information could theoretically be used to target and take advantage of sites which have been identified to be at risk of specific security expolits. This means that from the time the update is released, to the time the update is applied, your website is vulnerable. Therefore it's imperative that each security update is applied as soon as possible.
For the reasons outlined above, it's very important that you have strong security processes in place or, if this task is outsourced, that you have transparent SLAs and communication channels in place. The risks of not keeping your Drupal website up to date are significant (just as they are with any other CMS) and even though the last Drupal security update was more of a nuisance then anything else, this last year has seen severe breaches, including; the risk of access bypass (the ability for somebody to take control of your website) and information disclosure to name but a few.
If you would like find out more information about drupal security such as: how to subscribe to security update email notifications, the latest security update, developer practices for secure coding and much more then go here www.drupal.org/security
So check now if you can, if you are unable to do it yourself then contact your Drupal web administrator or service provider and ask him/her when the last security update was performed. If this post has risen concerns or questions or you would like to know more about Drupal, security and Open Source, then get in touch for an informal and confidential chat.