While the rest of this post looks back at 2007, I'd like to throw some attention to the security presentation at DrupalCon Boston.
2007 was a busy year for the Drupal Security Team. That's not to say that Drupal is unsafe but that security requires a lot of work. The nature of the work makes it hard to communicate exactly what is going on. So here is an attempt to share some information about the past year for the security team.
Releases, Reports, and Discussion
The team issued 37 Security Announcements (SAs), representing more than 100 patches released. Each SA requires at least 1 patch and 2 reviews (review before the patch is made to find other security holes and a second review to ensure that the hole has actually been fixed). Most issues involve multiple patches and multiple reviews. Each also requires the SA to be written and reviewed, the patches to be committed, release nodes created, published, drafts copied from security.drupal.org to drupal.org, and flipping publish/status bits on a few nodes around our infrastructure. All of that work was done 37 times last year or approximately once every 10 days. For comparison, 2006 totaled 32 SAs.
For each issue, there are more problems reported which turn out not to be issues. See Howto report a security issue and My Site Was Defaced ("hacked") What Should I do Now? for more information about how to report issues properly and with sufficient information. You can get a sense for the amount of discussion of security related topics and also of false reports based on the volume of emails to the internal mailing list:
Individual mails to the security team:
|May||140||399 (rough spam filter added ~here)|
|Jul||267 (Manual moderation added ~here)||106|
I don't see any great trends in there, but it at least shows the volume of mail that we are dealing with and the fact that while there is relatively little public discussion (aside from the occasional notable exception) there is still quite an enormous amount of discussion.
If we look at just the months where manual moderation was in place (to be sure there was no spam inflating the numbers) that's an average of 189 emails per month or 6 emails per day.
To help spread this load, the team recruited several new members: ajk, goba, greggles, hunmonk, scor, Chris Johnson, dmitrig01, aclight. Realizing that most security cracks are social ones, we also removed people who were no longer active in the team or the project. Making sure that we have only active and committed members is part of keeping the project secure, but is not an indication of dislike for the people nor should it detract from the effort they have provided over the years. Priorities change and we thank folks for the work they have done.
Spreading the word, Education, and Prevention
In addition to emails, patches, and reviews, the team took the following actions to help reduce security problems in the future.
1. Presentation in Barcelona presentation slides in the handbook
2. Email announcements (~13,000 subscribers), RSS Subscriptions to the security feed (2,197 according to an analysis by Drupal.org admin extraordinaire nnewton) We don't have numbers for last year for these attributes.
3. Update status module will provide an enormous help in getting the word out about new security releases. Already it is reaching a crowd roughly as big as the security announcement newsletters. This will help users keep their sites up to date and will also give the security team some data about how quickly users update which will be enormously useful in helping us learn where to spend more of our effort.
4. Edits to handbook pages - in short, approximately 5 new pages and 44 of enhancements to existing pages
Long form information on edits:
Security Team: 7 edits
Handling Text Securely: 1 edit
File uploads - completely new section, 6 edits
How to use db\_rewrite\_sql: 2 edits
Session IDs: 1 edit
Using FAPI to avoid CSRF: new page, 1 edit
Security Team: 20 edits
Report: 2 edits
Contacted by Security team, now what?: 3 edits
Hopefully this gives some insight into how the team works and what the workload is like. If you have any feedback for the security team, we're listening.