You may have seen news that potentially millions of Drupal users are at risk of cyber attacks after issues with the Drupal update process have mean that its installations could be out of data and listing unpatched platforms as current. John Smith, principal solution architect at Veracode have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]John Smith, Principal Solutions Architect at Veracode :
“It is highly concerning that potentially millions of sites have been left vulnerable to attack through issues with Drupal’s update process. Applying security patches to software in a timely fashion is an essential part of any good security management process and when this becomes unreliable it leaves users with an unknown and unmanaged risk in their environment.
Amongst the Drupal community this will be an even more sensitive issue after many such websites were breached in 2014 within hours of disclosure of a SQL injection vulnerability, a common application vulnerability which for over a decade has been listed at the top of the industry standard OWASP Top 10. In those cases the sites that were compromised were ones that had failed to apply a critical security patch but unfortunately now, due to failures with its update process, even its most security conscious users are at risk of being compromised. With the shadow of Heartbleed still hanging over the open source community, it is essential that Drupal can assure its customers that all patches are up to scratch and can be deployed with confidence.
Web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35% of breaches in some industries according to the 2015 Verizon Data Breach Investigations Report.
Leaving websites unknowingly unpatched leaves millions of users – let alone customers’ whose information is stored by said websites – at risk. It is essential that this issue is actively communicated throughout the Drupal community so that all website owners can take the necessary manual steps to ensure that all patches are downloaded and installed to ensure that their sites are truly secure. ”[/su_note][su_box title=”About Veracode” style=”noise” box_color=”#336588″]