Drupal & Security Updates: Painful, Painless, or Oblivious?

Drupal is a popular content management system. It’s also open source software which means any part of it can be freely customized. This flexibility makes it an ideal foundation for impressive projects.

Drupal is a polished sophisticated system and, like any system, it needs regular maintenance to deliver peak performance — but its open nature means installing maintenance updates isn’t as simple as clicking an update button.

“There’s a misconception with websites. Software is a living thing. It’s not the kind of thing that you just do once and you’re done.” says Aaron Manire, Director of Web Development at Isovera. “When you go to the shelter and you buy a puppy, you’re not just paying for the cost of the puppy; you have to take into account the lifetime cost of the puppy, like shots and food and such. It’s an ongoing commitment, and a website works the same way.”

Updates to the CMS, called the core, and modules are regularly released by the Drupal organization and its members to fix bugs, improve the system, and occasionally patch vulnerabilities.

Most Drupal vulnerabilities are very situational, and are discovered while testing unique combinations of modules or nuanced systems that create limited potential security gaps in Drupal.

Occasionally and fairly rarely, a significant security risk is discovered.

The Problem

While performing a security audit, Finnish developer and security researcher Jasper Mattsson uncovered a significant vulnerability. What made this exploit significantly dangerous was the low bar for execution. An anonymous user could visit any page in the site and, by exploiting this vulnerability, have access to all the data within the site to either modify it, delete it or steal it. Mattsson reached out to the Drupal security team who quickly announced to the Drupal community that a highly critical Drupal core update would be released a few days later on March 28, 2018.

Our Response

The urgency of the latest security update was underscored by the early announcement that a critical vulnerability was discovered and a patch was forthcoming (this is fairly unique with security announcements). Isovera met as a team and implemented a standard plan to notify current and previous clients about the pending security update and to execute security updates across all of our supported sites within a 24-hour period.

Project managers for every client were briefed on the update, and communication plans were put in place to educate clients, convey the update plan, and report on the progress. For projects where we no longer had any active development, we also reached out to make sure less active clients were covered.
When the announcement was released and the patch was available, our team went to work. Many of the websites were patched within a few hours of the release.

Bumps in the Road

Updates were going smoothly until one client hit a snag. Their internal team was having trouble applying the security update, and after a two days reached out to Isovera deeply concerned. When Isovera investigated, we found that the different source control and site update methods had been used by different teams working on the site. The live code for the website was in such a fragmented state that the internal team could not apply the security update without facing a potential data loss.

Working closely with the technical lead on the project, Isovera was able to repair and capture all of the sites code changes back into the repository in a way that allowed the successful application of the security update.

Setting Things up for Success

Ideally, we want to mirror a client’s experience with an open source platform like Drupal with what they would expect from a proprietary, closed-code system (picture your MS OS upgrades). As Isovera builds Drupal sites with best-practices at the forefront, most of our client’s websites are silently updated behind-the-scenes while our clients are able to focus on business as usual.

“Keeping your site updated does more than keep you secure,” said Stephen Sanzo, CEO of Isovera. “Not every update is security related, but they all improve the system. With regular maintenance you are ready when a big security update like this comes along. When you let your site fall behind and get out of date you accrue technical debt. Making up that debt in an emergency like this is high risk but, with regular maintenance, it becomes a non issue.”