Security. It’s a high priority for anyone on the web nowadays. Security threats on the web come in countless forms: malware, infected sites, hijacking information, etc. It’s no surprise then, that the security of open source software is often a focal point for companies creating online community platforms. It's definitely important for us at Open Social. Here’s an overview of providing security for an open source community, and why it’s important that we’re covered by the Drupal security team.
What is Open Source Security?
Open source software contains source code that is openly available for anyone to inspect, adjust, or improve. This code may contain bugs or issues that need to be flagged. Moreover, public availability means attackers could study and exploit the code, making code level security practices very important. Here are some common open source security practices:
- Maintain an inventory of all software used. This information should include the version, hash value, and the original source of the code.
- Check the availability of security updates and bug fixes. This helps ensure that the patch management processes can be followed regularly.
- Test and scan the source code. This can be done using code analyzers, auditing tools, or a community like Drupal.
- Ensure that open source applications comply with the existing network architecture. This avoids violations of any firewall or security policies.
We found that open collaboration from the Drupal community ensures that potential vulnerabilities and design flaws are flagged way quicker than programs built on proprietary software. Moreover, everyone viewing the source code can reuse and improve security material related to that software. The security benefits of using open source trickle down to Linus’s Law, stating that:
Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone - The Cathedral and the Bazaar by Eric S. Raymond (Lesson 8).
The increased, collaborative security research that comes with open source code results in improved security for everyone involved.
Drupal is a well-known open source software platform and consists of over 100.000 developers worldwide who maintain and improve thousands of websites across. Drupal hosts a variety of code, which brings us to the necessary existence of the Drupal security team. This team is in charge providing security expertise and assistance to the Drupal community. They ensure that any security issues for code hosted on Drupal are reviewed, reported, and solved.
Given that many software companies, such as ourselves, have a finite-sized team, both the company and customers benefit from the larger Drupal community and security team supporting us with security advisory practices and policies.
Open Social Security Process
The security team only issues advisories for and covers projects that are hosted on drupal.org, such as Open Social. There are a variety of steps to take before you get a security clearance: an automated test on your code for security implications, a manual review by the Drupal community, and a final check by the Drupal security team. Open Social has gone through all these steps and has been provided with security clearance from the Drupal security team. Woohoo!
“The Drupal project has built a reputation for security thanks to the efforts of the volunteer Drupal security team. By opting into security advisory coverage, Open Social ensures they will get the support of the security team if there is ever a reported vulnerability that needs to be responsibly disclosed." - Drupal Security Team
Side note: There’s great ‘I rub your back if you rub mine’ motivation in the Drupal community. A project reviews the security of other projects for priority bonuses. This means Open Social has reviewed three projects for security implications in return for a check on our own coding. This doesn’t only result in a thorough review, but additional feedback and tips.
Why is This Cool?
A stable security release of the software code was a great win for our Open Social team. Here’s why we are excited:
- Stronger trust. The security clearance leads to an even stronger development of trust for our distribution system from our potential customers and Drupal community members.
- Quality work. It’s great for our team of developers that receive recognition for quality work; the code that we produce is taken care of, up to date, and is safe to for everyone to use.
- Continuous support and maintenance. The Drupal community and security team provide a continuous stream of support for Open Social’s security. Not only will they continue to help us monitor our code, but also motivate us to fix issues right away.
What are practices and methods for keeping your software and code secure? What about your website? Let us know in the comments!