Drupal 8 Security Archives

As we near the end of 2019, choosing the right technology implementation partner has never been more important. According to a recent Gartner study, through 2021, 90 percent of global organizations will rely on system integrators (SIs), UX design agencies and channel partners to design, build and implement their digital experience strategies.

Before deciding on the right implementation partner, it’s integral to choose the right technology for that partner to implement. Drupal, an open-source technology option, is known for being the top choice for creating large, complex websites. Given today’s increasingly complex threat environment, Drupal is also a great technology option because of its built-in security protocols. According to a recent report, Drupal sites are some of the least hacked sites on the web. For large, security-conscious organizations, federal agencies and government institutions, look no further than Drupal.

Once you’ve made the decision to implement a Drupal site, the next question to ask yourself is who you should trust to design, build and implement your new site. That’s where a top DC UX design agency like Bluetext comes in.

Here are our top 5 tips for finding the right Drupal development agency:

Look for a Partner Who Thinks Beyond the Implementation

Having a partner who focuses on the big picture of your project is integral to the success of your initiative. These days, any developer with a laptop and an internet connection can set up a website, but having a partner with a perspective on how that website fits into the broader marketing ecosystem and vision for your company’s future growth is paramount. A Drupal development company like Bluetext, with full-service capabilities, can be that partner. Bluetext, leveraging experience as a top DC UX design agency, will assess the project from a wider viewpoint and offer tried and tested solutions to positively impact your revenue streams and improve overall customer loyalty.

For example, Bluetext partnered with Mindtree to develop the new Mindtree.com, which includes an intuitive, fully responsive user experience and leverages personalization to serve relevant content to each user. Powered by Drupal 8, the new website provides the flexibility and scalability a large enterprise needs to support its digital marketing efforts.

Is Your Team Ready for the Partner’s Style?

When working on a project, chemistry is everything. Your chosen partner might be the best in the business, but if they don’t wrap their processes around your needs, the entire engagement will be negatively affected on both sides of the table. Deadlines won’t be met, communication will feel forced and restricted, and overall, the project will suffer. Bluetext, one of the best DC UX design agencies, works closely with each client we partner with, making sure we understand internal processes, all design and functional requirements, and priorities for the given timeframe. Bluetext adapts our processes to operate how our clients work best, employing different applications and modes of communication to ensure every client is happy and the end-product achieves set goals.

Make Sure Your Teams Fully Understand Their Roles

The key to any project’s success is communication. It is never wise to assume a member of the team fully understands the objectives they are tasked to manage and deliver. An open-source application such as Drupal can be a challenging system to get used to. Having a leading web agency like Bluetext on your side can make any project run smoothly. From week one, Bluetext makes sure every member of the team, on both sides of the engagement, has a clear understanding of their role. This means putting in the effort to define clear project objectives per phase, roles and responsibilities, a communication structure and even informal expectations. Put the work in at the beginning of an engagement, and you will reap the benefits as you toast the launch of your new website.

A Higher Price Doesn’t Necessarily Mean a Higher Quality

When choosing the right technology implementation partner, the cost of the implementation is important. Understanding how and where your budget will be spent before making your choice will lower the chance of setbacks as the project moves from start to finish. The higher-priced implementation partner will often spend longer amount of time on a project and will bring too many unnecessary team members to meetings. Contrarily, the cheaper implementation partners often lack the skill to produce consistent, quality work.

At Bluetext, a leading web agency, we understand how ambiguous pricing may seem when it comes to implementing a new website. Bluetext is unique in our approach to pricing out technological implementations. Most digital web design agencies will conduct their business via an hourly billing budget. Bluetext ultimately views this process as inefficient and a hindrance to the client-agency relationship. Instead, we bill per deliverable, making our inefficiencies our problem. It doesn’t matter how many members of our team we bring to a client meeting or how many rounds of revisions a design takes to get right. The client always comes first and the work isn’t done until you are satisfied.

Past Track Record Counts

A company’s decision on which technology implementation partner to choose comes down to that partner’s previous experience. This makes sense, given that clients often look to case studies featuring previously executed work an example of what they can expect to receive at the end of the engagement. They also look to the reputation of agencies within their industry, so they know that that agency has knowledge of their industry and can get up to speed quickly. Bluetext, being a top UX & interface design company, has plenty of experience developing stunning, industry-leading, Drupal-based sites and has delivered on some of the most complex implementations to date.

For example, Bluetext partnered with XO on an enterprise-level Drupal 8 website deployment. Bluetext engineered a next-generation CMS re-platforming that included a first-time responsive website user-experience design. As XO’s SEO agency of record, Bluetext delivered a comprehensive SEO overlay as we dealt with the complexities of re-platforming, leveraging the Drupal content management capabilities to make XO.com an organic SEO over-achiever.

For more information on why Bluetext is one of the top DC digital web design agencies, check out our website, packed with examples of our work harnessing the power of Drupal.

A Public Service Announcement was released on July 30th, 2018, announcing a moderately critical security update to Drupal Core. This update is not part of the normal Drupal Core security releases but was deemed important enough to release the update. A link to the public service announcement can be found here: https://www.drupal.org/psa-2018-07-30

More information on the actual vulnerability was released along with the security updated on August 1, 2018. Based on the feedback and messaging around the issue on other forums such as Acquia.com, it is highly recommended that anyone on Drupal 8.5 install this important update. For organizations not running on the latest version of Drupal 8, it is recommended that you manually upgrade the impacted libraries as soon as possible.

For more information on the Drupal Security Advisories, the Drupal Security Team and Drupal Security Rating Process, check out our previous post here: https://bluetext.com/drupal-8-critical-security-release-march-28th-2018/

Looking for help upgrading your Drupal website? Contact Us!

Drupal 8 has made significant improvements in standardizing its upgrade path. Gone are the days where an upgrade would require a full site rebuild and migration. While some upgrades are more significant than others, the overall standardization of the upgrade process is welcome.

Minor Upgrades:

With minor upgrades beginning with Drupal 8, no functionality will be removed from the core. Any changes to core API’s or functions will be “deprecated” and will be slated for removal during the next major upgrade.

Major Upgrades:

Major upgrades will clear out all of the deprecated functionality that has accumulated in order to start off with a clean slate. With the standardization onto the Symphony framework, there is no plan to rebuild the Drupal core like as was done from versions 6 -> 7 and 7 -> 8.

Great! So upgrading my sites in Drupal 8 should be easy!? Right!???

Answer: Not so much!

The big takeaway is that the Drupal 8 updates made to standardize the upgrade process will make staying up-to-date much easier. That being said, there are still complications with the minor version upgrades. Drupal 8 continues to be in very active development — the community is working hard to integrate critical functionality, such as Media and Workflow, into the Drupal core.

With these core improvements comes a new dilemma: How do I upgrade my website that was built utilizing contributed functionality because the core functionality was not ready at the time? It might sound simple to do, but there are many improvements and alterations made to functionality when it is being integrated into the core. This requires an upgrade path to be built in order to move forward with updating the version of Drupal 8 you are running.

The good news is that Drupal 8 will not release a new core upgrade without an upgrade path for migrating the contributed functionality to the core. The bad news is that this won’t cover customizations or other contributed add-on functionality. This is where the real work comes in and where planning is required.

Here are some high-level questions that will help you plan your core upgrade path:

What contributed modules that I am using have been moved into the core?
Which of the patches that I am using has been committed to the core?
Are there additional dependencies that need to be updated due to core API updates or changes?
Do I have any custom code that is utilizing deprecated core functions or modules?

Things here can get a little bit more complex based on how your website is built. For example, if you are utilizing features for configuration management you will need to also consider:

Are my features dependent on configuration from core/contrib that has been updated or removed?
Do my features contain configuration related to a deprecated module?

While the new upgrade plan for Drupal provides a much clearer path forward, it still requires effort to stay up to date. For many clients, separating a large upgrade into several, smaller chunks is desirable because it is more manageable and allows them to spread the cost of upgrading their entire site over several quarters or years.

Looking for help upgrading your Drupal website? Contact Us!

If you are not already aware, and, more importantly, have not already upgraded, on March 28, a critical security update was released for all versions of the open source Drupal content management system platform. The vulnerability was rated as a 21/25 in severity based on the NIST Common Misuse Scoring System. The vulnerability was described as “(a) remote code execution vulnerability (that) exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” More information can be found here at this link: https://www.drupal.org/sa-core-2018-002

Drupal Security Advisories

Security advisories are posted on the Drupal.org website under the security advisories page. It is important for anyone who is maintaining a Drupal website to regularly check for security advisories that may apply to their websites in order to keep their sites secure. There are several ways to stay up to date with the most recent information:

Visit the Drupal Security Advisory Page
Subscribe to the rss feeds for core, contrib, or public service announcements
Follow @drupalsecurity on Twitter.

Drupal Security Team

One huge selling point of Drupal as a platform is the large community of users. An integral part of this community is the Drupal Security Team, a volunteer team of professionals across the industry who want to help improve the security of Drupal. The goals of the security team are to:

Resolve reported security issues in a Security Advisory
Provide assistance for contributed module maintainers in resolving security issues
Provide documentation on how to write secure code
Provide documentation on securing your site
Help the infrastructure team to keep the drupal.org infrastructure secure

For more information about the Drupal Security Team, what they do, and how they do it, check out their page on Drupal.org.

Drupal Security Rating Process

The security rating of a vulnerability is used to help determine the level of urgency you should take when dealing with a new security advisory. While all security updates should be incorporated, some may not warrant disruption to your business to implement immediately upon release.

Based on the NIST Common Misuse Scoring System (NISTIR 7864) in which all Drupal security advisories are measured, vulnerabilities are given a rating:

a score between 0 and 4 is considered Not Critical
5 to 9 is considered Less Critical
10 to 14 is considered Moderately Critical
15 to 19 is considered Critical
20 to 25 is considered Highly Critical

Each issue should be assessed individually, but, as a basic rule of thumb, any issue rated as Critical or Highly Critical should be taken care of immediately. Less Critical to Moderately Critical should be fit into the current release if possible, and Non Critical issues can be prioritized against a backlog of updates.