Outer.net - Security Review for Drupal

Greg — Wed, 07 Apr 2010 15:54:54 +0000

OuterNet, a large data center operator in the southern United States, provides custom server and application management for a variety of clients across the world.

When a client brought them a Drupal-based application for sharing sensitive files they wanted to make sure that the site was secure and learn what application management practices needed to be put in place to keep the site secure.

They turned to Growing Venture Solutions to receive a Security Review led by Ben Jeavons with support from Greg Knaddison and Steve Harley.

Security review Process and Findings

Ben started with a fundamental review of the features of the site to understand it's needs, then checked to see if any modifications were made to the core and contributed code on the site. Automated tools and manual review were run on the site to discover issues. In the end the site was found to be generally sound but with 5 critical vulnerabilities and 4 less critical vulnerabilities. The review concluded with our standard report and a meeting to discuss the findings giving Outer.net an opportunity to learn about securing this site and Drupal sites in general.

Stats for identified issues

vulnerabilities in core - zero
vulnerabilities in contributed modules - zero
vulnerabilities in configuration - one critical, three less critical
vulnerabilities in process - one critical
vulnerabilities in custom code - multiple vulnerabilities in a
disabled custom theme

This review follows the trends we see in other sites: it's more likely to find mistakes in configuration or custom code than it is to find them in core or contributed modules that are reviewed by the community. The site was also running older versions of Drupal core and several contributed modules that have security releases. Published exploits exist in older versions of core and contributed modules with security releases.

To help address these consistent configuration and developer education issues GVS has created the Security Review module and offers books and training at Drupalcamps and Drupalcons.

visit the site

University Corporation for Atmospheric Research

evelyn — Fri, 20 Nov 2009 21:23:31 +0000

The University Center for Atmospheric Research (UCAR) in Boulder has adopted Drupal as an organization-wide standard for deploying websites. One of the intranet sites UCAR needed was a system for managing the tutorials and FAQs that help administrative employees navigate through the center's guidelines, processes and procedures.

Growing Venture Solutions worked with stakeholders from across the organization to design a knowledge management system to reduce the work for administrators and to improve access to relevant information. GVS also trained in-house web developers and designed an efficient workflow for transferring existing content into the new Drupal site.

visit the site

Growing Venture Solutions - GVS - Security

Outer.net - Security Review for Drupal

Security review Process and Findings

Stats for identified issues

University Corporation for Atmospheric Research