SlideShare a Scribd company logo
Drupal Security:
There is a Mini-DrupalGeddon
every week & how to survive it
Michael Schmid & Manuel Pistner
Michael Schmid
CTO at Amazee Group
(amazee.io, Amazee Labs, Amazee Metrics)
Welcome
The security process
Manuel Pistner, CEO at Drop Guard
How a security patch is released
● User submits patch on special issue queue
● Security team reviews it
● Security team contacts maintainer
● Patch released by security team & maintainer
Security patch release
● patch is publicly available
● conspicuous vulnerability
→ hackers know how & where to hack
the several versions now
● site update needed in time!
The security levels
● Not Critical: scores between 0 and 4
● Less Critical: 5 to 9
● Moderately Critical: 10 to 14
● Critical: 15 to 19
● Highly Critical: 20 to 25
0 day release idea
Why do we need to update?
Update even not enabled
modules!
DrupalGeddon:
first attacks just 7h after
security update release
Drupal 8 & Front-End
Build systems:
external libraries
Every library as an item
of any upcoming software
needs individual protection
How to stay informed
● Drupal.org
● Newsletter/ Mailinglists
● RSS Feed
● Social media (Twitter, LinkedIn..)
Manual process
● “drush updb”, check patched core/ modules
● Manual QA
● Ticketing system
● Stakeholder communication
● Deployments
● and so on!
How it feels like:
And now:
Do this in 7 hours.
At 4 am.
With 100 sites.
The solution:
Automate every piece of it
the hackers are doing it as well
Needs for automation
● Monitoring
○ Current Module Version
○ Available Module Version, plus security level
● Patching
○ Regular Patching, Patch detection, Composer,
Git Submodules
○ Failure Handling -> Ticketing system
● Git support
○ Push into different Git branches based on
security level
Needs for automation
● Testing
○ Integration into Continuous Integration System
● Fully Automated Deployments
○ Running Deployment tasks
● Reporting
○ Ticketing system
our solution
Drop Guard Monitoring
● Installed Drop Guard Module on each production site
● Monitors each Module for version
● Compares to available Modules from drupal.org
Drop Guard Patching
● If new Module version available
○ Check against security levels
○ Automated applying of security patch to
Core or Contrib Module
○ Commits into Git production branch
● Supports plain code, git submodules,
composer
● Reports into Jira (errors or success)
amazee.io deployments
● Full automatic deployment on new
push into branches
● Possible deployment tasks
○ drush updb, etc
Drop Guard
● different processes based on security
levels
● non-highly critical patches applied to
another branch
amazee.io
● syncs database and files from
production to testing site
process
● after testing done, manual merge into
production branch
automated testing
● visual regression testing
● Unit Testing inside Docker containers
Demo
Highly Critical
directly to production (master)
Critical
to dropguard branch (with sync)
FIND US
there will be demos!
Drop Guard - Booth #105
amazee.io - Booth #700
JOIN US FOR
CONTRIBUTION SPRINTS
First Time Sprinter Workshop - 9:00-12:00 - Room Wicklow 2A
Mentored Core Sprint - 9:00-18:00 - Wicklow Hall 2B
General Sprints - 9:00 - 18:00 - Wicklow Hall 2A
Evaluate This Session
THANK YOU!
events.drupal.org/dublin2016/schedule
WHAT DID YOU THINK?

More Related Content

Similar to Drupal security - There is a mini Drupalgeddon every week & how to survive it

DevOps presentation
DevOps presentationDevOps presentation
DevOps presentation
Axsh Co. LTD
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
Michael Furman
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker, Inc.
 
Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603
Phil www.rzr.online.fr
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5
tafinley
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
Bob Killen
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
Double agent zero-day code injection and persistence technique
Double agent  zero-day code injection and persistence techniqueDouble agent  zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
KarlFrank99
 
How do we test nodejs apps?
How do we test nodejs apps?How do we test nodejs apps?
How do we test nodejs apps?
Michal Juhas
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
Michael Scovetta
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
All Things Open
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Vietnam Open Infrastructure User Group
 
OWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityOWASP Brisbane - SDN Security
OWASP Brisbane - SDN Security
David Jorm
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 

Similar to Drupal security - There is a mini Drupalgeddon every week & how to survive it (20)

DevOps presentation
DevOps presentationDevOps presentation
DevOps presentation
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
 
Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
 
Double agent zero-day code injection and persistence technique
Double agent  zero-day code injection and persistence techniqueDouble agent  zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
How do we test nodejs apps?
How do we test nodejs apps?How do we test nodejs apps?
How do we test nodejs apps?
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
OWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityOWASP Brisbane - SDN Security
OWASP Brisbane - SDN Security
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 

More from Manuel Pistner

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreich
Manuel Pistner
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors love
Manuel Pistner
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfully
Manuel Pistner
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with Drupal
Manuel Pistner
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practices
Manuel Pistner
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAP
Manuel Pistner
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
Manuel Pistner
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue Geschäftsmodelle
Manuel Pistner
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shops
Manuel Pistner
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications
Manuel Pistner
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teams
Manuel Pistner
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC Fräsprodukten
Manuel Pistner
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practises
Manuel Pistner
 
Open source business apps
Open source business appsOpen source business apps
Open source business apps
Manuel Pistner
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Manuel Pistner
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integration
Manuel Pistner
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZ
Manuel Pistner
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC Fräsprodukten
Manuel Pistner
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application framework
Manuel Pistner
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of Sharepoint
Manuel Pistner
 

More from Manuel Pistner (20)

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreich
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors love
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfully
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with Drupal
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practices
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAP
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue Geschäftsmodelle
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shops
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teams
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC Fräsprodukten
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practises
 
Open source business apps
Open source business appsOpen source business apps
Open source business apps
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integration
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZ
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC Fräsprodukten
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application framework
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of Sharepoint
 

Recently uploaded

Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
AanSulistiyo
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 

Recently uploaded (20)

Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 

Drupal security - There is a mini Drupalgeddon every week & how to survive it

  • 1.
  • 2. Drupal Security: There is a Mini-DrupalGeddon every week & how to survive it Michael Schmid & Manuel Pistner
  • 3. Michael Schmid CTO at Amazee Group (amazee.io, Amazee Labs, Amazee Metrics) Welcome
  • 4. The security process Manuel Pistner, CEO at Drop Guard
  • 5. How a security patch is released ● User submits patch on special issue queue ● Security team reviews it ● Security team contacts maintainer ● Patch released by security team & maintainer
  • 6. Security patch release ● patch is publicly available ● conspicuous vulnerability → hackers know how & where to hack the several versions now ● site update needed in time!
  • 7. The security levels ● Not Critical: scores between 0 and 4 ● Less Critical: 5 to 9 ● Moderately Critical: 10 to 14 ● Critical: 15 to 19 ● Highly Critical: 20 to 25
  • 9. Why do we need to update? Update even not enabled modules! DrupalGeddon: first attacks just 7h after security update release Drupal 8 & Front-End Build systems: external libraries
  • 10. Every library as an item of any upcoming software needs individual protection
  • 11. How to stay informed ● Drupal.org ● Newsletter/ Mailinglists ● RSS Feed ● Social media (Twitter, LinkedIn..)
  • 12. Manual process ● “drush updb”, check patched core/ modules ● Manual QA ● Ticketing system ● Stakeholder communication ● Deployments ● and so on!
  • 13. How it feels like:
  • 14.
  • 15. And now: Do this in 7 hours. At 4 am. With 100 sites.
  • 16. The solution: Automate every piece of it the hackers are doing it as well
  • 17. Needs for automation ● Monitoring ○ Current Module Version ○ Available Module Version, plus security level ● Patching ○ Regular Patching, Patch detection, Composer, Git Submodules ○ Failure Handling -> Ticketing system ● Git support ○ Push into different Git branches based on security level
  • 18. Needs for automation ● Testing ○ Integration into Continuous Integration System ● Fully Automated Deployments ○ Running Deployment tasks ● Reporting ○ Ticketing system
  • 20. Drop Guard Monitoring ● Installed Drop Guard Module on each production site ● Monitors each Module for version ● Compares to available Modules from drupal.org
  • 21. Drop Guard Patching ● If new Module version available ○ Check against security levels ○ Automated applying of security patch to Core or Contrib Module ○ Commits into Git production branch ● Supports plain code, git submodules, composer ● Reports into Jira (errors or success) amazee.io deployments ● Full automatic deployment on new push into branches ● Possible deployment tasks ○ drush updb, etc
  • 22. Drop Guard ● different processes based on security levels ● non-highly critical patches applied to another branch amazee.io ● syncs database and files from production to testing site process ● after testing done, manual merge into production branch
  • 23. automated testing ● visual regression testing ● Unit Testing inside Docker containers
  • 24. Demo
  • 25. Highly Critical directly to production (master)
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. FIND US there will be demos! Drop Guard - Booth #105 amazee.io - Booth #700
  • 44. JOIN US FOR CONTRIBUTION SPRINTS First Time Sprinter Workshop - 9:00-12:00 - Room Wicklow 2A Mentored Core Sprint - 9:00-18:00 - Wicklow Hall 2B General Sprints - 9:00 - 18:00 - Wicklow Hall 2A
  • 45. Evaluate This Session THANK YOU! events.drupal.org/dublin2016/schedule WHAT DID YOU THINK?