3.1. Stay Current with Code Updates

It's a sad but true fact that most major worms and exploits over the years have targeted known and fixed vulnerabilities. Table 3-1 provides evidence of this unfortunate trend. These issues were large enough to cause significant economic damage to companies and countries, and yet the patches to prevent these worms were released months or even years before the worm was released.

Table 3.1. Exploits
WORM/EXPLOITPATCH RELEASE DATEWORM DATE
Santy*November 2004December 2004
Code RedJune 18, 2001July 13, 2001
SQL SlammerJuly 24, 2002January 25, 2003
SadmindDecember 1999 / October 2000May 8, 2001

NOTE

*Santy was the worm that attacked a site of mine and that first alerted me to the need for attention to security in web applications.

Therefore, one of the most important things you can do to protect your site is stay up to date with new releases of the code you use. Keeping your site up to date is a two-step process:

  • Learning about the updates

  • Applying the updates

Learning about updated code may seem simple, but the Drupal project often suffers from too much information on a subject, which makes it hard to find the information you need. There are also probably a few dozen ways that you can update your code, which can be confusing. The next sections present some best practices to keep on top of the rapidly changing Drupal project.

3.1.1. Staying Informed about Code Updates

There are three primary ways to stay informed about code updates, and I have listed ...

Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.