Back to top

Security Team Activitiy in 2007 by the Numbers

While the rest of this post looks back at 2007, I'd like to throw some attention to the security presentation at DrupalCon Boston.

2007 was a busy year for the Drupal Security Team. That's not to say that Drupal is unsafe but that security requires a lot of work. The nature of the work makes it hard to communicate exactly what is going on. So here is an attempt to share some information about the past year for the security team.

Releases, Reports, and Discussion

The team issued 37 Security Announcements (SAs), representing more than 100 patches released. Each SA requires at least 1 patch and 2 reviews (review before the patch is made to find other security holes and a second review to ensure that the hole has actually been fixed). Most issues involve multiple patches and multiple reviews. Each also requires the SA to be written and reviewed, the patches to be committed, release nodes created, published, drafts copied from to, and flipping publish/status bits on a few nodes around our infrastructure. All of that work was done 37 times last year or approximately once every 10 days. For comparison, 2006 totaled 32 SAs.

For each issue, there are more problems reported which turn out not to be issues. See Howto report a security issue and My Site Was Defaced ("hacked") What Should I do Now? for more information about how to report issues properly and with sufficient information. You can get a sense for the amount of discussion of security related topics and also of false reports based on the volume of emails to the internal mailing list:

Individual mails to the security team:

Month 2007 2006
Jan 263 412
Feb 168 356
Mar 149 470
Apr 115 145
May 140 399 (rough spam filter added ~here)
Jun 155 182
Jul 267 (Manual moderation added ~here) 106
Aug 104 138
Sep 186 97
Oct 352 214
Nov 152 153
Dec 155 148

I don't see any great trends in there, but it at least shows the volume of mail that we are dealing with and the fact that while there is relatively little public discussion (aside from the occasional notable exception) there is still quite an enormous amount of discussion.

If we look at just the months where manual moderation was in place (to be sure there was no spam inflating the numbers) that's an average of 189 emails per month or 6 emails per day.

To help spread this load, the team recruited several new members: ajk, goba, greggles, hunmonk, scor, Chris Johnson, dmitrig01, aclight. Realizing that most security cracks are social ones, we also removed people who were no longer active in the team or the project. Making sure that we have only active and committed members is part of keeping the project secure, but is not an indication of dislike for the people nor should it detract from the effort they have provided over the years. Priorities change and we thank folks for the work they have done.

Spreading the word, Education, and Prevention

In addition to emails, patches, and reviews, the team took the following actions to help reduce security problems in the future.
1. Presentation in Barcelona presentation slides in the handbook
2. Email announcements (~13,000 subscribers), RSS Subscriptions to the security feed (2,197 according to an analysis by admin extraordinaire nnewton) We don't have numbers for last year for these attributes.
3. Update status module will provide an enormous help in getting the word out about new security releases. Already it is reaching a crowd roughly as big as the security announcement newsletters. This will help users keep their sites up to date and will also give the security team some data about how quickly users update which will be enormously useful in helping us learn where to spend more of our effort.
4. Edits to handbook pages - in short, approximately 5 new pages and 44 of enhancements to existing pages

Long form information on edits:

Security Team: 7 edits
Handling Text Securely: 1 edit
File uploads - completely new section, 6 edits
How to use db\_rewrite\_sql: 2 edits
Session IDs: 1 edit
Javascript: new page, 1 edit
Using FAPI to avoid CSRF: new page, 1 edit
Security Team: 20 edits
Report: 2 edits
Contacted by Security team, now what?: 3 edits

Hopefully this gives some insight into how the team works and what the workload is like. If you have any feedback for the security team, we're listening.

People Involved: