Website security and code updates
This is the second instalment in our web security series. Last time we looked at user logins and permissions, and this time we examine the need to update your code for security.
Security is an ongoing battle. One does not simply “harden” a system and walk away. Bad actors are constantly attempting to find new and inventive ways to penetrate systems, and vulnerabilities are being discovered all the time.
Bad actors are constantly attempting to find new and inventive ways to penetrate systems
Drupal does security well
People unfamiliar with the perils of the internet may consider Drupal’s regular flow of security updates a weakness, and a burden. However, the fact is that it is through regular updates that Drupal remains a highly secure system.
The Drupal Security Team works with maintainers of both the Drupal project and contributed modules to find solutions to discovered vulnerabilities, and to coordinate releases of new, fixed versions.
New code every Wednesday
A core feature of Drupal’s approach to security is their schedule of release windows. Every Wednesday, any contributed modules that are ready to go with security patches are released, and Drupal Core’s own security releases fit in with this cadence, with core releases happening once a month.
Each security release is accompanied by a Public Service Announcement (PSA), which describes the potential vulnerability without giving away the exploit, specifies who is vulnerable and what can be done to mitigate against it.
This means that savvy admins can subscribe to notifications and remain on top of any discovered vulnerabilities before the bad actors can exploit them.
The buck doesn’t stop there
What can often be forgotten are third-party libraries. Many modules and site components build upon work done by others in the open source community.
In the old days of Drupal 6 and 7, one had to keep an eye on the libraries used by your application and ensure you were aware of security problems therein and patch or update them yourself.
Happily, in a Drupal 9 world sites use the Composer package management tool to ensure all dependencies of your code base are also kept up to date. Composer is truly a wonder of the modern age!
Keeping your code base up to date with the latest security patches is plainly a good idea. However, that is just one way to help keep a site secure. Next time, we will explore the mechanism most commonly used to provide interactivity: forms, together with their arch nemeses: bots.
Read the other blogs in our Security Series:
Are you concerned about the security of your Drupal site?
Talk to us about conducting a website security audit.
Anthony Lindsay Director of Managed Services
With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.