Open Source CMS in Financial Services?

I ran a a small personal blog on Drupal for a number of years. Drupal can dramatically simplify some categories of web content management compared to competing technology options.

A quick job search this evening for financial services openings involving Drupal in New York suggests a range of banking, finance, investments, and insurance organizations use this stack today.

Drupal is an open source content management platform powering millions of websites and applications. It is built, used, and supported by an active and diverse community of people around the world. It is written in PHP that uses a MySQL database, and supports a range of other emerging web technologies.

One reason I drifted off my Drupal platform involved the level of effort required to keep it updated and patched as new security vulnerabilities and exploits were published.

Drupal has a well-established record of moderately-critical and critical security vulnerabilities. This is not necessarily a bad thing. There is an active Drupal security team using relatively-well documented processes (https://drupal.org/security-team and https://drupal.org/node/1424708) in the context of an exemplary level of transparency.

In 2013 there were 3 major collections of remotely-exploitable critical & highly-critical vulnerabilities in the Drupal core, as well as 97 (mostly) remotely exploitable vulnerabilities in Drupal extensions.

Implications:

  1. Running a Financial Services web site on Drupal with a range of typical features & integrations involves the same range of risk management obligations as with any other technology stack. As a result, security needs to be built into your software development lifecycle end-to-end — from requirements-gathering & architecture, through configuration, deployment & operations, and every step in between.
  2. We need to develop & document a set of core company-standard coding conventions & formal standards that attempt to incorporate exploit resistance and attack-awareness, along with security-centric logging/alerting/alarming/reporting practices throughout all Drupal-hosted application content (code, templates, configurations, CSS, etc.). If your organization does not support PHP development today, Drupal will drive you to PHP support. Building out a secure coding practice for a programming language without legacy support in your organization will require a non-trivial investment. The Drupal security team maintains code-level security guidance at: https://drupal.org/writing-secure-code, which should help boot strap company-specific efforts which should be enthusiastically-integrated into all code/configuration activities.
  3. We need to use careful, thoughtful, skeptical and paranoid security code reviews of all ‘code’ & configuration changes prior to deployment.
    Organizations should also invest in a regular service of centralized security code analysis, along with security assessments in a deployed context, and ‘certification’ of Drupal modules — permitting only ‘certified’ or approved modules in production and pilot environments. This type of review does not guarantee risk-free operations, but would help to demonstrate Financial Services-grade due diligence and help to deliver a certain degree of safety in the module code. Some static security code analysis SaaS vendors support PHP to help your staffing challenges here.
  4. We need to have enough trained technical and leadership personnel on deck at all times in order to react efficiently & effectively to security advisories or exploit announcements that require relatively-immediate site and/or code changes.
  5. Finally, revisit the first recommendation above again and follow-through across your entire SDLC. That said we also need to invest in ongoing platform penetration testing & web application vulnerability assessments in order to ensure that we are not exposed to a known or not-yet-announced vulnerability. Again, SaaS support opportunities abound in the dynamic application testing. ‘App pen testing’ is not the solution to your web application needs, it is only one facet of a multi-dimensional full life-cycle approach that is critically-important.

REFERENCES

Security Advisories – Drupal Core
https://drupal.org/security
Security Advisories – Contributed Projects
https://drupal.org/security/contrib
Security Advisories – Public Service Announcements
https://drupal.org/security/psa

“Security Issues in Drupal Content Management System.” (2013)
http://www.examiner.com/article/security-issues-drupal-content-management-system

The 10 most critical Drupal security risks. (2012)
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks

CVE Drupal Vulnerability Statistics:
http://www.cvedetails.com/vendor/1367/Drupal.html
CVE Drupal Vulnerability Details:
http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html

Drupal Administration Guide — Securing your Site
https://drupal.org/security/secure-configuration

Drupal Writing secure code. Last updated September 12, 2013
https://drupal.org/writing-secure-code

“Drupal Security Best Practices — A Guide for Governments and Nonprofits.”
By OpenConcept Consulting Inc. for Public Safety Canada
Principal Author: Mike Gifford, with a collection of contributors
http://openconcept.ca/drupal-security-guide

Public Example: Drupal Security at University of Pennsylvania
Drupal Security Considerations
https://www.sas.upenn.edu/computing/infosec_drupal
Drupal Secure Configuration
https://www.sas.upenn.edu/computing/drupal-security
Drupal Approved Modules
https://www.sas.upenn.edu/computing/drupal-approved-modules

“Mad Irish . net — Open source software security.”
http://www.madirish.net/tag/drupal

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: