Growing Venture Solutions - GVS - Enterprise

Outer.net - Security Review for Drupal

Greg — Wed, 07 Apr 2010 15:54:54 +0000

OuterNet, a large data center operator in the southern United States, provides custom server and application management for a variety of clients across the world.

When a client brought them a Drupal-based application for sharing sensitive files they wanted to make sure that the site was secure and learn what application management practices needed to be put in place to keep the site secure.

They turned to Growing Venture Solutions to receive a Security Review led by Ben Jeavons with support from Greg Knaddison and Steve Harley.

Security review Process and Findings

Ben started with a fundamental review of the features of the site to understand it's needs, then checked to see if any modifications were made to the core and contributed code on the site. Automated tools and manual review were run on the site to discover issues. In the end the site was found to be generally sound but with 5 critical vulnerabilities and 4 less critical vulnerabilities. The review concluded with our standard report and a meeting to discuss the findings giving Outer.net an opportunity to learn about securing this site and Drupal sites in general.

Stats for identified issues

vulnerabilities in core - zero
vulnerabilities in contributed modules - zero
vulnerabilities in configuration - one critical, three less critical
vulnerabilities in process - one critical
vulnerabilities in custom code - multiple vulnerabilities in a
disabled custom theme

This review follows the trends we see in other sites: it's more likely to find mistakes in configuration or custom code than it is to find them in core or contributed modules that are reviewed by the community. The site was also running older versions of Drupal core and several contributed modules that have security releases. Published exploits exist in older versions of core and contributed modules with security releases.

To help address these consistent configuration and developer education issues GVS has created the Security Review module and offers books and training at Drupalcamps and Drupalcons.

visit the site

University Corporation for Atmospheric Research

evelyn — Fri, 20 Nov 2009 21:23:31 +0000

The University Center for Atmospheric Research (UCAR) in Boulder has adopted Drupal as an organization-wide standard for deploying websites. One of the intranet sites UCAR needed was a system for managing the tutorials and FAQs that help administrative employees navigate through the center's guidelines, processes and procedures.

Growing Venture Solutions worked with stakeholders from across the organization to design a knowledge management system to reduce the work for administrators and to improve access to relevant information. GVS also trained in-house web developers and designed an efficient workflow for transferring existing content into the new Drupal site.

visit the site

The Economist

Greg — Thu, 19 Nov 2009 22:28:48 +0000

I (Greg) have been reading the Economist since I was a teenager, so I was quite excited to hear that they were going to be moving to Drupal. Of course, I was even more excited when I got the opportunity to work on the project.

The Economist provides a variety of services, but their most popular one is the very dense newspaper they deliver each week full of insightful articles. As printed media undergoes an enormous change in the age of online delivery, The Economist draws inspiration from the Prospectus and their mission statement to find a purpose:

"To take part in a severe contest between intelligence, which presses forward, and an unworthy timid ignorance obstructing our progress."

Growing Venture Solutions has engaged with developers at The Economist and many other fine consultants including Cyrve and Four Kitchens. We are working with their scrum teams to build the tools necessary to host a severe contest online. Included in these tools are features that drive at the heart of Drupal: content management, identity, rating, and individually focused customization.

Much of the work is making its way back to the Drupal community. The Views Bulk Operations and Voting API modules have seen some improvements already. The amazing Table Wizard and Migrate modules were vastly improved as a result of their use importing data into the site. As we move beyond the migration stages of the project, we should be able to make even more improvements to Drupal.

visit the site