SlideShare a Scribd company logo
Business + Strategy · Kalle Varisvirta · 24 September 2013
AUDITING DRUPAL SITES
Prerequisites?
Basic knowledge of Drupal and its architecture
Understanding the business involving Drupal
What you’ll learn
in this session?
Why are Drupal audits done?
How are they done (including some technical details)?
What’s the business of Drupal audits?
What’s an audit?
Audit is a run-through of an implementation of a site
Audits are done for many different reasons and thus the
actual process of doing an audit varies
Why are audits done?
Audit types
Acquisition audit
Implementation verification audit
Vendor management audit
Support audit
Acquisition audit
Generally done before the decision to buy a business
A part of the ‘due diligence’ process
Usually done to smaller startups who base their
business to a web site / web service
Typically more in-depth
Focuses on whatever business plans there are for the
system
Implementation
verification audit
A customer want to validate their vendor’s work on
their Drupal system
Usually pretty brief, done in collaboration with the
implementing vendor
Shouldn’t ever be done for a system that’s not finished,
unless it’s a strict architecture audit
Usually the client isn’t expecting major problems to be
found
Vendor management
audit
Vendor management audit is usually done to either
switch vendors or due to problems with the current
vendor
Usually done without the knowledge of the current
vendor, thus done usually with limited documentation
and/or information
Might be either very brief or very profound audit
Client expects to find problems in the implementation
Support audit
A very brief audit done to move the system to be
supported by the auditing partner
These are done with minimal resources, but must be
done well, because the vendor carries all the risks
The only type of audit where the auditing consultant
can learn from the experience, as all the details will be
revealed in the longer run
How it’s done
TIP #1
You always need
the source code
Getting started
First and foremost: start taking notes from day 1
Secure the source code and a dump of the database
If the data is too private, ask for it to be obfuscated
Don’t ever settle for partial source code, just the
custom modules, for example
They’ll be happy to leave the hacked core and
“enhanced” contrib modules outside of the audit
Install the site
Whichever audit you’re doing, start by installing the site
It’s a learning experience, you’ll find out what’s missing
and what’s not documented
You’ll probably have to stop several times to ask more
data, code, Varnish VCL configs, Apache rewrites, API
definitions (to create dummies) etc. so reserve enough
calendar time for this
Still worth the time - every time
TIP #2
You must
understand the
architecture
Architecture
Once installed, look at the architecture of the site
Usually Drupal sites are based on certain contrib
combinations to build functionality
Remember not to be biased
Architecture
Does it fit the purpose?
Is the site using Drupal as it should?
Are there custom parts where there’s a well-working
contrib available?
Is it overly complicated?
Architecture
Always make sure you understand the architecture
When the site is very complicated, integrated and
contains a lot of custom code, understanding the
architecture might take several days
You’ll just have to endure it, it’s the prerequisite for a
proper audit
Reading code
Reading code is not a big problem in regular Drupal
audits
There’s relatively little custom code to be read and
you can find where it is by running Hacked! (https://
drupal.org/project/hacked)
When there’s a lot of code, remember you can’t read it
all
Reading code
With limited time and too much code to read, focus on
the parts that matter
Security holes
Beginner mistakes
Performance problems
Looking for:
security holes?
Check for SSL login
Check for old contribs without security patches
Check out if all the custom parts are using abstraction to
interface with the database
Look for usage of uncleaned inputs in UI
Don’t forget the Javascript, a lot of XSS possibilities there
Look for API calls without HTTPS but with private data
Looking for:
beginner mistakes?
Look for unclean access to Drupal
Accessing database straight (and not own tables)
Look for unnecessary custom modules (good contribs
available)
Look for wrong hooks (e.g. init instead of cron for stuff
that’s needed to be done rarely)
Looking for:
performance problems?
Check out static caches for time-consuming functions
Check out the amount of processing in init hook
Look for slow backend APIs
Check out the caching strategy
Look for unnecessary, but very slow contrib modules
Look for misusage of contrib modules
Social engineering
Talk to the original site developers whenever it’s
possible
They’ll tell you how it works and why it works like that
They might even point you to potential problems
Just be polite and friendly, especially in acquisition
audits - auditing is not about pissing people off
TIP #3
It’s not just
the code
Installation and
server configuration
A really professionally made site might still be deployed
by a total newbie
Always look at the production environment
You’ll need at least read access to the actual server
or a copy of all the relevant configuration files
There’s a lot to check for security, performance and
reliability
Installation and
server configuration
Look at the PHP, httpd and PHP process manager
configurations
Opcode cache in use
PHP ‘scary options’ off
Apache/Nginx safely configured
MySQL and other databases
Replication configurations
Backups
Installation and
server configuration
Check for open ports, services running, MySQL
passwords
Look at the sweet extras, memcache configuration,
Varnish VCLs, MongoDB, Redis, SOLR configurations
While you’re at it, make sure you check out the
SOLR schemas, too
Drupal configuration
Then take a look at the Drupal configuration
User roles and privileges
Registration and login settings
Caching settings
Contrib module settings, beware, there might be
some really scary ones
Custom module settings
Drupal configuration
SEO configurations, that’s easily forgotten
Cleanup for automatic imports or other automatically
growing data
Multisite configurations
Language configurations
etc...
TIP #4
A quick
benchmark
never hurt
anyone
Performance
Depending on the audit, performance is just a part of
the audit, or the main focus of the audit
In acquisition audits, performance issues are usually
very important
Performance
But even in the normal case, a quick benchmark is in
order
Just run couple of pages with anonymous user and
logged in user with a benchmarking tool (ab, siege)
and profile (xdebug, xhprof) the backend (on a
separate benchmark run) under load
You’ll see the bottlenecks immediately and get an
idea if the site is slower than normal, or properly
optimized
TIP #5
Auditing is a
gentleman’s
game
Reporting
Usually one or two written reports are produced as an
output
Two written reports are needed when we need a
technical and a non-technical report
Frequently they contain parts of code or runtime grinds,
but sometimes the NDA bans that (possible in
acquisition audits)
Reporting
The usual audit document is divided into three parts
Introduction: explains the system, its architecture and
platform, modules and implementation on a high level
Findings: lists all the findings, usually also mentions
the stuff that was okay, but focuses on the problems
Improvement suggestions: lists all the suggested
improvements for the problems listed in the previous
chapter
Don’t bash!
Never bash the vendor who implemented the system
Just list the problems neutrally
You’ll be on the receiving end at some point and you’ll
appreciate the auditor to understand that there are different
circumstances in which Drupal systems are made - some
harder than others
Auditing is a gentleman’s game
We’re a small community of professionals and there’s no
need to sell by bashing others
TIP #6
list only real
findings
List only real findings
What if you can’t find anything?
Did you remember to manage customer
expectations?
Never exaggerate problems!
If you can’t find anything, then you don’t list anything!
TIP #7
Audits need
to be done
by an expert
Business of an audit
The time needed for a Drupal audit is very hard to
estimate
Ranging from 2 man-days to 30 man-days
Pricing is usually by the hour, and goes by the pricing
of the most experienced consultant
For support audits the time is usually very limited
Who can do an audit?
The person doing the audit needs to be a real expert
In Drupal audits, Drupal skills are not enough: the
person needs to have rock-solid programming skills,
especially in PHP
Also, experience in integrations, high-performance and
security is hugely beneficial
TIP #8
Get a
reference -
if you can
Any references?
The most problematic part in selling Drupal audits is
to get the proper public references to be credible
Auditing is a subtle business, so make sure you read
the NDA
Selling audits
When your customer is changing vendors, from
someone to you, you should try and sell an audit
It’s for your own security - you never know what
you’re getting into
Same goes for taking an existing site into support,
always demand to make an audit as a part of the
support deal
Selling audits
Never promise you’ll find anything wrong in an audit -
you don’t know that
Never promise you’ll find everything that’s wrong with
the system during an audit - nobody can guarantee
that
I can only guarantee you’ll miss something
A quick recap
Recap
Get the source code, you need it, all of it
Get the configuration or get access to production
Understand the architecture
Optimize code reading, read only code that matters
Remember to test the performance
Be a gentleman
Only list real findings
Thank you!
Questions?
THANK YOU!
WHAT DID YOU THINK?
Locate this session at the
DrupalCon Prague website:
http://prague2013.drupal.org/schedule
Click the “Take the survey” link

More Related Content

What's hot

Continuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CIContinuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CI
wajrcs
 
Continuous delivery - tools and techniques
Continuous delivery - tools and techniquesContinuous delivery - tools and techniques
Continuous delivery - tools and techniques
Mike McGarr
 
Introduction to test_driven_development
Introduction to test_driven_developmentIntroduction to test_driven_development
Introduction to test_driven_development
haochenglee
 
CI / CD w/ Codeception
CI / CD w/ CodeceptionCI / CD w/ Codeception
CI / CD w/ Codeception
Tudor Barbu
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Selenium Frameworks
Selenium FrameworksSelenium Frameworks
Selenium Frameworks
Dave Haeffner
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
Puppet
 
Dot all 2019 | Testing with Craft | Giel Tettelar
Dot all 2019 | Testing with Craft | Giel TettelarDot all 2019 | Testing with Craft | Giel Tettelar
Dot all 2019 | Testing with Craft | Giel Tettelar
Giel Tettelaar
 
Automation Frame works Instruction Sheet
Automation Frame works Instruction SheetAutomation Frame works Instruction Sheet
Automation Frame works Instruction Sheet
vodQA
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
Mike McGarr
 
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
brian d foy
 
Drupalcamp Simpletest
Drupalcamp SimpletestDrupalcamp Simpletest
Drupalcamp Simpletest
lyricnz
 
Improving code quality using CI
Improving code quality using CIImproving code quality using CI
Improving code quality using CI
Martin de Keijzer
 
Continuous Integration at T3CON08
Continuous Integration at T3CON08Continuous Integration at T3CON08
Continuous Integration at T3CON08
Sebastian Kurfürst
 
Codeception
CodeceptionCodeception
Codeception
Jonathan Lau
 
Improve Development Process with Open Source Software
Improve Development Process with Open Source SoftwareImprove Development Process with Open Source Software
Improve Development Process with Open Source Software
elliando dias
 
30 Skills to Master to Become a Senior Software Engineer
30 Skills to Master to Become a Senior Software Engineer30 Skills to Master to Become a Senior Software Engineer
30 Skills to Master to Become a Senior Software Engineer
Sean Coates
 
Rspec and Capybara Intro Tutorial at RailsConf 2013
Rspec and Capybara Intro Tutorial at RailsConf 2013Rspec and Capybara Intro Tutorial at RailsConf 2013
Rspec and Capybara Intro Tutorial at RailsConf 2013
Brian Sam-Bodden
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 

What's hot (19)

Continuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CIContinuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CI
 
Continuous delivery - tools and techniques
Continuous delivery - tools and techniquesContinuous delivery - tools and techniques
Continuous delivery - tools and techniques
 
Introduction to test_driven_development
Introduction to test_driven_developmentIntroduction to test_driven_development
Introduction to test_driven_development
 
CI / CD w/ Codeception
CI / CD w/ CodeceptionCI / CD w/ Codeception
CI / CD w/ Codeception
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Selenium Frameworks
Selenium FrameworksSelenium Frameworks
Selenium Frameworks
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
 
Dot all 2019 | Testing with Craft | Giel Tettelar
Dot all 2019 | Testing with Craft | Giel TettelarDot all 2019 | Testing with Craft | Giel Tettelar
Dot all 2019 | Testing with Craft | Giel Tettelar
 
Automation Frame works Instruction Sheet
Automation Frame works Instruction SheetAutomation Frame works Instruction Sheet
Automation Frame works Instruction Sheet
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
 
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
Automating Software Releases (Dallas/Ft. Worth Perl Mongers 2004)
 
Drupalcamp Simpletest
Drupalcamp SimpletestDrupalcamp Simpletest
Drupalcamp Simpletest
 
Improving code quality using CI
Improving code quality using CIImproving code quality using CI
Improving code quality using CI
 
Continuous Integration at T3CON08
Continuous Integration at T3CON08Continuous Integration at T3CON08
Continuous Integration at T3CON08
 
Codeception
CodeceptionCodeception
Codeception
 
Improve Development Process with Open Source Software
Improve Development Process with Open Source SoftwareImprove Development Process with Open Source Software
Improve Development Process with Open Source Software
 
30 Skills to Master to Become a Senior Software Engineer
30 Skills to Master to Become a Senior Software Engineer30 Skills to Master to Become a Senior Software Engineer
30 Skills to Master to Become a Senior Software Engineer
 
Rspec and Capybara Intro Tutorial at RailsConf 2013
Rspec and Capybara Intro Tutorial at RailsConf 2013Rspec and Capybara Intro Tutorial at RailsConf 2013
Rspec and Capybara Intro Tutorial at RailsConf 2013
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 

Viewers also liked

Simpletest - A beginners guide
Simpletest - A beginners guideSimpletest - A beginners guide
Simpletest - A beginners guide
Ed Conolly
 
CTools – toolbox for developers. Yuri Gerasimov.
CTools – toolbox for developers. Yuri Gerasimov.CTools – toolbox for developers. Yuri Gerasimov.
CTools – toolbox for developers. Yuri Gerasimov.
DrupalCampDN
 
Lean Analytics: A short summary
Lean Analytics: A short summaryLean Analytics: A short summary
Lean Analytics: A short summary
Jan König
 
A swift introduction to Swift
A swift introduction to SwiftA swift introduction to Swift
A swift introduction to Swift
Giordano Scalzo
 
The Ultimate Guide to Startup Marketing
The Ultimate Guide to Startup MarketingThe Ultimate Guide to Startup Marketing
The Ultimate Guide to Startup Marketing
Onboardly
 
The Beginners Guide to Startup PR #startuppr
The Beginners Guide to Startup PR #startupprThe Beginners Guide to Startup PR #startuppr
The Beginners Guide to Startup PR #startuppr
Onboardly
 

Viewers also liked (6)

Simpletest - A beginners guide
Simpletest - A beginners guideSimpletest - A beginners guide
Simpletest - A beginners guide
 
CTools – toolbox for developers. Yuri Gerasimov.
CTools – toolbox for developers. Yuri Gerasimov.CTools – toolbox for developers. Yuri Gerasimov.
CTools – toolbox for developers. Yuri Gerasimov.
 
Lean Analytics: A short summary
Lean Analytics: A short summaryLean Analytics: A short summary
Lean Analytics: A short summary
 
A swift introduction to Swift
A swift introduction to SwiftA swift introduction to Swift
A swift introduction to Swift
 
The Ultimate Guide to Startup Marketing
The Ultimate Guide to Startup MarketingThe Ultimate Guide to Startup Marketing
The Ultimate Guide to Startup Marketing
 
The Beginners Guide to Startup PR #startuppr
The Beginners Guide to Startup PR #startupprThe Beginners Guide to Startup PR #startuppr
The Beginners Guide to Startup PR #startuppr
 

Similar to Auditing Drupal Sites

Code Review
Code ReviewCode Review
Code Review
Ravi Raj
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
Jim Plush
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
 
Support/ maintenance travails - Why and how to audit legacy sites
Support/ maintenance travails - Why and how to audit legacy sitesSupport/ maintenance travails - Why and how to audit legacy sites
Support/ maintenance travails - Why and how to audit legacy sites
Suchi Garg
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
Zend by Rogue Wave Software
 
DevOps Delivery Pipeline
DevOps Delivery PipelineDevOps Delivery Pipeline
DevOps Delivery Pipeline
Denis Korchuganov
 
Automated tests
Automated testsAutomated tests
Automated tests
Damian Sromek
 
The Drupal 7 Worst Practices Catalogue
The Drupal 7 Worst Practices CatalogueThe Drupal 7 Worst Practices Catalogue
The Drupal 7 Worst Practices Catalogue
Alexandre Israël
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015
Mirco Hering
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
The 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a BudgetThe 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a Budget
Crystal Taggart
 
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
Perficient, Inc.
 
Enterprise Development on a Shoestring Budget
Enterprise Development on a Shoestring BudgetEnterprise Development on a Shoestring Budget
Enterprise Development on a Shoestring Budget
Chris Tankersley
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Driving application development through behavior driven development
Driving application development through behavior driven developmentDriving application development through behavior driven development
Driving application development through behavior driven development
Einar Ingebrigtsen
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDBWebinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
MongoDB
 
Software Development Standard Operating Procedure
Software Development Standard Operating Procedure Software Development Standard Operating Procedure
Software Development Standard Operating Procedure
rupeshchanchal
 

Similar to Auditing Drupal Sites (20)

Code Review
Code ReviewCode Review
Code Review
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
 
Support/ maintenance travails - Why and how to audit legacy sites
Support/ maintenance travails - Why and how to audit legacy sitesSupport/ maintenance travails - Why and how to audit legacy sites
Support/ maintenance travails - Why and how to audit legacy sites
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
DevOps Delivery Pipeline
DevOps Delivery PipelineDevOps Delivery Pipeline
DevOps Delivery Pipeline
 
Automated tests
Automated testsAutomated tests
Automated tests
 
The Drupal 7 Worst Practices Catalogue
The Drupal 7 Worst Practices CatalogueThe Drupal 7 Worst Practices Catalogue
The Drupal 7 Worst Practices Catalogue
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
The 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a BudgetThe 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a Budget
 
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
Portal Deployment Best Practices | IBM Portal Excellence Conference 2009
 
Enterprise Development on a Shoestring Budget
Enterprise Development on a Shoestring BudgetEnterprise Development on a Shoestring Budget
Enterprise Development on a Shoestring Budget
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Driving application development through behavior driven development
Driving application development through behavior driven developmentDriving application development through behavior driven development
Driving application development through behavior driven development
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDBWebinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
 
Software Development Standard Operating Procedure
Software Development Standard Operating Procedure Software Development Standard Operating Procedure
Software Development Standard Operating Procedure
 

More from Exove

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
Exove
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
Exove
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
Exove
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
Exove
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Exove
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
Exove
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
Exove
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
Exove
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
Exove
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
Exove
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
Exove
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
Exove
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
Exove
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Exove
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
Exove
 

More from Exove (20)

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
 

Recently uploaded

dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 

Recently uploaded (20)

dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 

Auditing Drupal Sites

  • 1. Business + Strategy · Kalle Varisvirta · 24 September 2013 AUDITING DRUPAL SITES
  • 2. Prerequisites? Basic knowledge of Drupal and its architecture Understanding the business involving Drupal
  • 3. What you’ll learn in this session? Why are Drupal audits done? How are they done (including some technical details)? What’s the business of Drupal audits?
  • 4. What’s an audit? Audit is a run-through of an implementation of a site Audits are done for many different reasons and thus the actual process of doing an audit varies
  • 5. Why are audits done? Audit types Acquisition audit Implementation verification audit Vendor management audit Support audit
  • 6. Acquisition audit Generally done before the decision to buy a business A part of the ‘due diligence’ process Usually done to smaller startups who base their business to a web site / web service Typically more in-depth Focuses on whatever business plans there are for the system
  • 7. Implementation verification audit A customer want to validate their vendor’s work on their Drupal system Usually pretty brief, done in collaboration with the implementing vendor Shouldn’t ever be done for a system that’s not finished, unless it’s a strict architecture audit Usually the client isn’t expecting major problems to be found
  • 8. Vendor management audit Vendor management audit is usually done to either switch vendors or due to problems with the current vendor Usually done without the knowledge of the current vendor, thus done usually with limited documentation and/or information Might be either very brief or very profound audit Client expects to find problems in the implementation
  • 9. Support audit A very brief audit done to move the system to be supported by the auditing partner These are done with minimal resources, but must be done well, because the vendor carries all the risks The only type of audit where the auditing consultant can learn from the experience, as all the details will be revealed in the longer run
  • 11. TIP #1 You always need the source code
  • 12. Getting started First and foremost: start taking notes from day 1 Secure the source code and a dump of the database If the data is too private, ask for it to be obfuscated Don’t ever settle for partial source code, just the custom modules, for example They’ll be happy to leave the hacked core and “enhanced” contrib modules outside of the audit
  • 13. Install the site Whichever audit you’re doing, start by installing the site It’s a learning experience, you’ll find out what’s missing and what’s not documented You’ll probably have to stop several times to ask more data, code, Varnish VCL configs, Apache rewrites, API definitions (to create dummies) etc. so reserve enough calendar time for this Still worth the time - every time
  • 14. TIP #2 You must understand the architecture
  • 15. Architecture Once installed, look at the architecture of the site Usually Drupal sites are based on certain contrib combinations to build functionality Remember not to be biased
  • 16. Architecture Does it fit the purpose? Is the site using Drupal as it should? Are there custom parts where there’s a well-working contrib available? Is it overly complicated?
  • 17. Architecture Always make sure you understand the architecture When the site is very complicated, integrated and contains a lot of custom code, understanding the architecture might take several days You’ll just have to endure it, it’s the prerequisite for a proper audit
  • 18. Reading code Reading code is not a big problem in regular Drupal audits There’s relatively little custom code to be read and you can find where it is by running Hacked! (https:// drupal.org/project/hacked) When there’s a lot of code, remember you can’t read it all
  • 19. Reading code With limited time and too much code to read, focus on the parts that matter Security holes Beginner mistakes Performance problems
  • 20. Looking for: security holes? Check for SSL login Check for old contribs without security patches Check out if all the custom parts are using abstraction to interface with the database Look for usage of uncleaned inputs in UI Don’t forget the Javascript, a lot of XSS possibilities there Look for API calls without HTTPS but with private data
  • 21. Looking for: beginner mistakes? Look for unclean access to Drupal Accessing database straight (and not own tables) Look for unnecessary custom modules (good contribs available) Look for wrong hooks (e.g. init instead of cron for stuff that’s needed to be done rarely)
  • 22. Looking for: performance problems? Check out static caches for time-consuming functions Check out the amount of processing in init hook Look for slow backend APIs Check out the caching strategy Look for unnecessary, but very slow contrib modules Look for misusage of contrib modules
  • 23. Social engineering Talk to the original site developers whenever it’s possible They’ll tell you how it works and why it works like that They might even point you to potential problems Just be polite and friendly, especially in acquisition audits - auditing is not about pissing people off
  • 24. TIP #3 It’s not just the code
  • 25. Installation and server configuration A really professionally made site might still be deployed by a total newbie Always look at the production environment You’ll need at least read access to the actual server or a copy of all the relevant configuration files There’s a lot to check for security, performance and reliability
  • 26. Installation and server configuration Look at the PHP, httpd and PHP process manager configurations Opcode cache in use PHP ‘scary options’ off Apache/Nginx safely configured MySQL and other databases Replication configurations Backups
  • 27. Installation and server configuration Check for open ports, services running, MySQL passwords Look at the sweet extras, memcache configuration, Varnish VCLs, MongoDB, Redis, SOLR configurations While you’re at it, make sure you check out the SOLR schemas, too
  • 28. Drupal configuration Then take a look at the Drupal configuration User roles and privileges Registration and login settings Caching settings Contrib module settings, beware, there might be some really scary ones Custom module settings
  • 29. Drupal configuration SEO configurations, that’s easily forgotten Cleanup for automatic imports or other automatically growing data Multisite configurations Language configurations etc...
  • 31. Performance Depending on the audit, performance is just a part of the audit, or the main focus of the audit In acquisition audits, performance issues are usually very important
  • 32. Performance But even in the normal case, a quick benchmark is in order Just run couple of pages with anonymous user and logged in user with a benchmarking tool (ab, siege) and profile (xdebug, xhprof) the backend (on a separate benchmark run) under load You’ll see the bottlenecks immediately and get an idea if the site is slower than normal, or properly optimized
  • 33. TIP #5 Auditing is a gentleman’s game
  • 34. Reporting Usually one or two written reports are produced as an output Two written reports are needed when we need a technical and a non-technical report Frequently they contain parts of code or runtime grinds, but sometimes the NDA bans that (possible in acquisition audits)
  • 35. Reporting The usual audit document is divided into three parts Introduction: explains the system, its architecture and platform, modules and implementation on a high level Findings: lists all the findings, usually also mentions the stuff that was okay, but focuses on the problems Improvement suggestions: lists all the suggested improvements for the problems listed in the previous chapter
  • 36. Don’t bash! Never bash the vendor who implemented the system Just list the problems neutrally You’ll be on the receiving end at some point and you’ll appreciate the auditor to understand that there are different circumstances in which Drupal systems are made - some harder than others Auditing is a gentleman’s game We’re a small community of professionals and there’s no need to sell by bashing others
  • 37. TIP #6 list only real findings
  • 38. List only real findings What if you can’t find anything? Did you remember to manage customer expectations? Never exaggerate problems! If you can’t find anything, then you don’t list anything!
  • 39. TIP #7 Audits need to be done by an expert
  • 40. Business of an audit The time needed for a Drupal audit is very hard to estimate Ranging from 2 man-days to 30 man-days Pricing is usually by the hour, and goes by the pricing of the most experienced consultant For support audits the time is usually very limited
  • 41. Who can do an audit? The person doing the audit needs to be a real expert In Drupal audits, Drupal skills are not enough: the person needs to have rock-solid programming skills, especially in PHP Also, experience in integrations, high-performance and security is hugely beneficial
  • 42. TIP #8 Get a reference - if you can
  • 43. Any references? The most problematic part in selling Drupal audits is to get the proper public references to be credible Auditing is a subtle business, so make sure you read the NDA
  • 44. Selling audits When your customer is changing vendors, from someone to you, you should try and sell an audit It’s for your own security - you never know what you’re getting into Same goes for taking an existing site into support, always demand to make an audit as a part of the support deal
  • 45. Selling audits Never promise you’ll find anything wrong in an audit - you don’t know that Never promise you’ll find everything that’s wrong with the system during an audit - nobody can guarantee that I can only guarantee you’ll miss something
  • 47. Recap Get the source code, you need it, all of it Get the configuration or get access to production Understand the architecture Optimize code reading, read only code that matters Remember to test the performance Be a gentleman Only list real findings
  • 49. THANK YOU! WHAT DID YOU THINK? Locate this session at the DrupalCon Prague website: http://prague2013.drupal.org/schedule Click the “Take the survey” link