Updated on 24 October 2017
The security team provides weekly security annoucements, most of the time on Thursday.
Just remind this if you plan some maintenance.
The scope of these annoucements is the Drupal core and contributed projects (modules, themes, distributions).
Security annoucements are described as follow
- level : Security risk levels defined
Example of security annoucement.
How to get notified?
The core module Update Manager is installed by default and sends notification by mail + on your website when needed for your Drupal site (based on your core version and projects installed).
If you disable these notifications, make sure that you get updates:
- Follow Drupal Security on Twitter
- Subscribe to security newsletter while creating or editing your Drupal account
Drop Guard service
Drop Guard is a service to automate Drupal updates. To use Drop Guard with your Drupal installation you need to install this module. It will collect data about installed modules and themes and send this information securely encrypted to Drop Guard. Then Drop Guard will retrieve available updates for your site and care about the updates automatically, together with integration with your deployment processes.
Do I really need to update each time?
Well, just read about the Drupageddon exploit, a few hours after its annoucement, websites that didn't applied the patch were hacked.
Honestly, SQL injection (the security issue in this case) is really rare and 25/25 security risk as well. But it is still a good idea to keep your website up-to-date, even if it is not concerned by security updates. Here are a few arguments for you, your client or manager:
- A site that gets regular updates does not need a complete refactoring, it evolves naturally and follows the API's updates. Read more about the Drupal 8 release cycle.
- The client should not have to agree on security updates, it is also part of a normal process of software maintenance.
- It should be included in your contract.
- Drupal comes with automated testing, so even if it will never replace a manual test, it still reduces the load of having to test manually the website on each update.
- For custom code, you should write unit tests that speeds up the testing after update.
In all cases
- When security annoucements are public, review the security risk and carefully read the description to evaluate if you have to apply it immediately or if you can plan scheduled maintenance with your client.
- If you cannot update, for any reason, apply at least a patch.
- Prepare a backup of your files, code and database (but this should already be the case with an automated solution).
Some hosting companies dedicated to Drupal are also providing extra security services, but the security update should be done by the developer on a staging environment first.