Home

drupal

Greg's picture

Drupal Security Report: Connect with Fans, Reason to Sponsor

Submitted by Greg on Mon, 2010-08-16 11:58
in

Recently our company worked with partners and sponsors to create a thoroughly researched, high quality document about the state of security in the open source Drupal project. You can download the report from DrupalSecurityReport.org, but right now I want to talk about the motivations, the audience, and the funding model behind the report because we feel that we've solved a tricky problem: funding expensive work in an easily copied medium (PDF downloads). We decided to try a variation on Techdirt's strategy to "Connect with Fans and give them a Reason to Buy".

This report was something that my colleague Ben Jeavons and I had wanted to do for a long time, but we couldn't fund it entirely from our own company resources. The target audience for the report is people who are considering Drupal and we didn't feel that they would be willing to spend money purchasing the report.

Connect with Fans

Fortunately, we have built up an audience among people interested in Drupal Security. Last fall I did a security webinar for a few hundred folks leveraging Acquia's webinars. Our blogs are directly read by a few thousand people interested in Drupal and are syndicated to over 20,000 readers readers interested in the topic. We've also done several presentations on Drupal security.

So, with a purpose and some fans in tow, we turned to business contacts we've made over the years to see if they could help with funding.

Reason to Sponsor

Based on discussions with them, our sponsors were motivated to sponsor the report based on three major ideas (and one sub-idea).

  1. They sell Drupal in the enterprise space and are often confronted with questions about security and don't have a good answer. They wanted something they could point to.

Ben's picture

Drupal Security Report

Submitted by Ben on Wed, 2010-04-28 21:23
in

Last week at DrupalCon SF we released the Drupal Security White Paper on drupalsecurityreport.org. The paper has been under development for the last several months and we worked hard to complete it in time for DrupalCon.

Addressing ongoing questions about Drupal security, the paper analyzes the Security Team's Security Advisories and discusses how Drupal 6 and 7 address common and critical security risks, including those of the OWASP Top Ten.

We couldn't have done it without the help of our sponsors, including Cydeck and Examiner.com among others, and without the help of our reviewers. Thank you!

If you're evaluating Drupal for use on your site, this report is for you. Or, if you're just curious to know more about Drupal and how it addresses security risks please give it a read.


Ezra's picture

Denver Drupal Training - April 3, 2010

Submitted by Ezra on Wed, 2010-03-17 08:41
in

Dive into Drupal

a 1-day Seminar in Denver

Presented by Growing Venture Solutions

Date

April 3rd 2010
9:30 AM - 5:30 PM

Class Location

The GVS offices
209 Kalamath St Unit 25
Denver, CO
(Free parking)

Class size

To ensure a high quality class and a great student/teacher ratio, class is limited to 20 students.

Cost

  • Early Bird Price: $80 if you register and pay before March 23, 1010
  • Regular Price: $100 if you register and pay after March 23, 2010

Recommended

Your own laptop with wireless internet capability.

Class Lifeguards

Class Description

Ready to dive into Drupal? Fear not, lifeguards are on duty! Savvy instructors from Growing Venture Solutions will help you get Drupal installed on your laptop and instilled in your thinking.

We'll begin by introducing Drupal's foundational concepts, then start building your first Drupal site -- create content, install & configure the right modules, and start managing users. Then, we'll focus on tools to make your site shine -- enrich content with fields and taxonomy, customize URLs to be readable and SEO-friendly, create an events calendar with the powerful Views module, and integrate images in powerful and creative ways.

By the end of this class you'll be ready to build your own Drupal sites, understand and speak the the Drupal lingo, and get involved with the vibrant Drupal community to find more tools and solve bugs and make your site more awesome!

Topics covered include:

Class Date: 
Apr 3 2010

Ben's picture

Security Review module and securing your Drupal site

Submitted by Ben on Tue, 2009-12-08 16:30
in

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

  • Insecure file system permissions
  • Insecure input formats
  • Dangerous code in nodes and comments
  • Printed errors
  • Private files directory not set outside the web root
  • Dangerous allowed upload extensions
  • Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!


Greg's picture

Book Review: Web Mapping Illustrated by Tyler Mitchell Using Open Source GIS Toolkits

Submitted by Greg on Mon, 2009-05-25 21:03
in
Image of Web Mapping Illustrated: Using Open Source GIS Toolkits

This book is starting to get a little bit old (it was written in 2005) but it is still a great introduction to the complexities and potential fun with mapping online.

The book starts with general concepts, wades through command line and desktop tools for mapping, dives into Web Map Services based on the MapServer project, and finishes off with more reference material in the appendixes. The general concepts, command line tools (page 82 and nearby), and references will be useful for years to come. The rest of the material was a bit dated. For example, page 132 has a sidebar exclaiming that the **new* GMaps service from Google seemed very interesting.

I was particularly impressed by
* The introduction to SFSQL (Simple Feature Structured Query Language) on page 242
* The introduction to PostGIS features in Chapter 13 including guide to querying on page 256
* Discussion of the ogr and gdal tools for dealing with various types of data.

I really hope that O'Reilly will update this book and that the author will be able to expand it to cover other mapping tools beyond MapServer and other databases beyond PostgreSQL (we mostly use MySQL).


Training - San Jose Library

in
San José Library

The San Jose Library manages a variety of websites for San José Public Libraries and San José State University Library. After evaluating several systems, the web team decided to use Drupal for their projects and began working to learn to use Drupal. In order to speed their trip up the Drupal learning curve, they decided to engage Growing Venture Solutions for training.

About the training, team lead Sarah Houghton-Jan said:

Greg's training was well-organized, starting with the basic and progressing to the more advanced topics. Greg is extremely knowledgable about every aspect of Drupal. As one of the community's most active members, he has an incredible range of information immediately at his disposal about the system's capabilities and processes. The training was extremely flexible - Greg let us stop and ask questions whenever we wanted, pause for hands-on work, and breeze through issues of less interest to us. Greg is a very friendly trainer, approachable, easy to work with, and amazingly knowledgable. I would recommend him for any institution seeking training on any aspect of Drupal. Though we had three days of training, I wish we had five instead so that we could have gone more in depth into each topic and access Greg's wealth of knowledge!

The Library training was a blend of our standard training curriculum and some customization to fit their needs.


Greg's picture

The Dao of the Drupal Community

Submitted by Greg on Sat, 2008-07-26 13:07
in

Greg Knaddison

Growing Venture Solutions

July 2008


Greg's picture

DrupalCamp Colorado - Welcome!

Submitted by Greg on Sat, 2008-07-26 00:52
in

Greg Knaddison

greggles

2008/03/05 9:00

DrupalCamp Colorado

Best DrupalCamp Colorado Ever!

The bathrooms...

Big thanks to Denver Open Media.

Big thanks to Aten Design Group.

Do-ocracy
Drupal(Camp) is what you make of it.

tag it: drupalcampcolorado

drupalcamp

(on monitor upstairs)

Lightning!

S5 Presentation Layer.
Simple Standards-Based Slide Show System
(no, it's not SSBSSS nor S2BS3)
(because Eric Meyer said so)

<!--pagebreak--> + words = presentation!

Where are the slides?
Oh...they're already online in a shareable format.


Greg's picture

Quick Introduction to Views 2

Submitted by Greg on Thu, 2008-07-24 16:16
in

Greg Knaddison

Growing Venture Solutions

July 2008

DrupalCamp Colorado

What is Views 1?
The views module provides a flexible method for Drupal site designers to control how lists of content (nodes) are presented.

What is views 2?
The views module provides a flexible method for Drupal site designers to control how lists of anything are presented with a kickass Ajax interface.

Questions?

Demo!

Raffle for Komodo
Advanced help
Non-node tables

Session list (and block)
Basic node list
Overrides

Comments + moderation

Image + ajax + minipager = carousel...?

Stump the Chump!


Greg's picture

Token Module: How I Learned To Use the Token API and Stop Re-Implementing Dynamic String Replacement

Submitted by Greg on Thu, 2008-07-24 11:47
in

Greg Knaddison

Growing Venture Solutions

July 2008


Syndicate content

Featured Team Member
Greg Knaddison

Greg's varied background helps him as he works in various roles within the team.

Drupalcamp Colorado

We had fun at Drupalcamp Colorado!

Drupalcamp Colorado

We Wrote the Book On Drupal Security:

Cracking Drupal Book Cover

We were at Drupalcon San Francisco

See the videos now: