You may have seen news that potentially millions of Drupal users are at risk of cyber attacks after issues with the Drupal update process have mean that its installations could be out of data and listing unpatched platforms as current. John Smith, principal solution architect at Veracode have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]John Smith, Principal Solutions Architect at Veracode :
“It is highly concerning that potentially millions of sites have been left vulnerable to attack through issues with Drupal’s update process. Applying security patches to software in a timely fashion is an essential part of any good security management process and when this becomes unreliable it leaves users with an unknown and unmanaged risk in their environment.
Amongst the Drupal community this will be an even more sensitive issue after many such websites were breached in 2014 within hours of disclosure of a SQL injection vulnerability, a common application vulnerability which for over a decade has been listed at the top of the industry standard OWASP Top 10. In those cases the sites that were compromised were ones that had failed to apply a critical security patch but unfortunately now, due to failures with its update process, even its most security conscious users are at risk of being compromised. With the shadow of Heartbleed still hanging over the open source community, it is essential that Drupal can assure its customers that all patches are up to scratch and can be deployed with confidence.
Web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35% of breaches in some industries according to the 2015 Verizon Data Breach Investigations Report.
Leaving websites unknowingly unpatched leaves millions of users – let alone customers’ whose information is stored by said websites – at risk. It is essential that this issue is actively communicated throughout the Drupal community so that all website owners can take the necessary manual steps to ensure that all patches are downloaded and installed to ensure that their sites are truly secure. ”[/su_note][su_box title=”About Veracode” style=”noise” box_color=”#336588″]
Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.