How Drupal Manages to Combine Openness and Security?

QArea Team by QArea Team on March 8, 2012

How Drupal Manages to Combine Openness and Security?
Reading Time: 4 minutes

Drupal is one of the largest open source software projects in the world. Thousands of developers write code for it and develop Drupal websites or applications. The graphic below will help you understand the work of Drupal’s Security Team better.

Keeping Drupal Secure

Drupal has risen from the ranks in decade since its creation. It maintains the web presence of thousands of businesses, governmental institutions, universities and others around the whole world. Today writing code for Drupal is determined as writing code that could be used at any of those sites. Surely, Drupal code must correspond to the very precise requirements of banks, health-care institutions, and governments, in spite of the fact, that it is developed either by a devoted hobbyist or by a fulltime professional. It is also important to be one step forward of those, who make attempts to break into such systems.

Security and open source bound together

Drupal’s security process doesn’t need to be accomplished fast and cautiously to further fix the problem before they gain popularity or begin to be widely used. But still security and open source are well bound, yet someone who considers that “security by ambiguity” really works may be quite astonished. A good recipe for a collapse is concealing behind proprietary licensing or complied code and relying on the fact that no one will pay attention to security flaws. Opening your code to the community can ensure in greatly enhanced security because everyone has the ability to find and fix a problem. Having thousands of developers in one community increases the benefits, i.e. if anyone fixes a bug, then you have got your bug fixed as well. Drupal’s codebase is thoroughly and systematically examined by various security experts from the world’s governments and other big companies. They assess Drupal’s secure for their mission-critical applications.

Proactive security awareness. Trying to prevent security issues.

Insecure code usually has defected from the very beginning. Yet, the best practices are available for the developers so that they could solve the majority of security issues at the very start. That is why Drupal Security Team continuously leads open-ended efforts to improve and help the Drupal community to keep from appearing security issues. They shepherd presentations and training, events and conferences to Drupal community, carry out webinars, provide free online documentation and encourage the public group to take part in discussion Drupal security-related issues.

Drupal core and stable release modules. What is supported?

The Drupal Security Team helps in dealing with huge amount of security issues across the Drupal project and additional plug-in modules developed for it. In this list modules with “development” versions are not included; modules without a supported stable version thus cannot benefit from the Security Team’s management. So, if you’ve decided to use a module only with “development” or “beta” versions for a critical application, as a module’s support to finish a stable, supported “x.0” version.

Drupal Security Team. All about it.

The Drupal project has announced the existence of its Security Team in 2005 and now and then rotates team leadership. Nowadays the improvement of new technologies gives way to detect issues that are indistinct and difficult to recognize because code doesn’t commonly “unexpectedly become insecure”. A lot of skills, knowledge, and experience is directed to make Drupal as secure as possible. Today the Drupal Security Team is a grown-up, multifarious group, now including about 40 of the world’s leading web-security experts (none of them are robots, despite their skill and efficiency). They check and determine problems that arise “in the trenches”, they also work to increase the security of the Drupal project. Members of the team are hard-working volunteers from different countries across 3 continents, involving those from Belgium, Canada, England, France, Germany, Hungary, Ireland, Japan and the United States. The team involves people from consultancies, Drupal service suppliers, government providers for cooperation, as well as non-profit, profit and educational organizations.

How do the Drupal Security Release process happen?

  • Uncovering vulnerability in code. You can find/meet bug hunters everywhere. Therefore everyone is capable of recognizing and reporting a security problem to the team, the team itself as well, but also module maintainers, the wide Drupal Community, security researchers in Drupal and even you. If you’ve found a bug and want to inform about it, read and follow How to report a security issue on
  • Private reported issues to Security Team. Security issues should be dealt carefully and kept in secret. However, there is one exception – when vulnerability needs advanced permissions or access to use, for instance, the ability to manage filters or users. In such cases, the Security Team asks module developers to repair these problems openly, because it’s not a danger as it is and in the future they strengthen the system when used.
  • Issue reviewed potential impact on all supported Drupal releases evaluated. It is available two main releases series (6.x, 7.x, etc) maintained 24/7. Please always run and update to the newest version of the series you are using.
  • When the threat is acute, Security Team is gathered for analysis. Maintainer informed.
  • Maintainer solves the problem. Security Team arranges support. Maintainers, testers and other interested individuals are allowed to access to the problem on a private, secure issue tracker so that they could work together on a solution.
  • Fixes examined and considered. Steps 4 through 6 are repeated until the Security Team and module supervisor are pleased with the result of a security issue, which caused questions.
  • Code patches built and tested. The new code is tested to ensure it doesn’t present any other security issues or ruin the module in question.
  • New, fixed versions ready accessible at
  • Security recommendations are spread via websites, newsletters, RSS, Twitter, social media, etc. Follow on various social media or sign up for Drupal RSS on
  • New versions uploaded on all sites. Check the “Available updates” information on your Drupal site at admin/reports/updates in Drupal 6.x and 7.x to see if your Drupal core and installed module versions are the latest ones and download if necessary any new available version via active links. Please keep in mind that updates are not automated and need to be performed frequently to maintain you code up-to-date and thus your site as secure as possible.

QArea being the software outsourcing company that follows all the modern tendencies in IT world provides its specialists with such kind of tools that make their work being easier and more efficient.

You may also like: Check out our portfolio!

How Drupal Manages to Combine Openness and Security?

Review: Drupal 7 facilitates Web site management

How Drupal Developers Optimize Big Data in E-Commerce?