Profile picture
Rick Manelius, PhD @rickmanelius
, 12 tweets, 2 min read Read on Twitter
The recent SA-CORE-2018-004 and SA-CORE-2018-002 security advisories have sparked a lot of conversations in the Drupal community regarding all things security. IMHO, it's important to highlight several talking points to keep things in perspective.
1/Timing. In both cases, it is believed that the patches and releases occurred before any publicly known or widely used exploit. This is huge. This means the community had a marked advantage in addressing before mass exploits were attempted.
2/Responsible Disclosure. Individuals finding these vulnerabilities decided to work with the Drupal Security team rather than disclose publicly. This is huge. It allows the community the chance to address proactively versus reactively on a potential 0-day exploit.
3/Due Diligence. If you'll note on SA-CORE-2018-004, there were members of the security team that played a part in the additional research and testing. To me this highlights the team taking active measures versus waiting passively for external reports.
4/Level of Participation. Despite being a group of volunteers, you'll note that a dozen individuals helped fix and coordinate this issue. This is a non-trivial amount of eyeballs looking at the problem and effort spent reviewing/evaluating the remediation strategy.
5/Hard Decisions w/Level Headedness. While we would all like security releases to fit within nice timeboxes that minimize disruption, the team sometimes has to balance risk with factors like convenience and maximizing overall benefit to the community. This is not easy/trivial.
6/Hosting Providers. While it only represents a fraction of the overall Drupal install base, the fact that several key hosting providers quickly rolled out infrastructure-level protection significantly limited the overall exposure.
7/Feedback Loops. While not all details can be disclosed, anyone on the public side can clearly see that the security team has been taking and applying feedback on a regular basis to improve communication/releases of critical/highly critical issues.
8/Real Time Support. While it remains to be seen if it stays open, there was a Slack channel opened up for real-time questions/answers drupal.slack.com/messages/C2AAK….
9/Volunteers. An important reminder that many members of the Drupal Security team are volunteers. Appreciation can go a long way. Even better, if you're a company that employs a Drupal Security team member, allocating more company time would be well received.
10/Open Source. Security Advisories are not a bug, but a feature of open source. The codebase (like our community) is a shared responsibility.
End thread. Thank you for listening.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Rick Manelius, PhD
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
This is the best thing on Twitter this morning. I see too many security products trying to *replace* human-to-human interaction - there’s a good chunk of security and privacy that’s about *people*.

Let’s make more products which help people STOP, collaborate, and listen 😝
Forgetting about the “people” part of security is why we’ve heard “GRC is dead” for the last 10 years. We’re on “GRC 4.0” now and it *still* sucks.

GRC tools like Archer are designed for Process and Technology but forget about the poor People who have to use that dumpster fire.
We still have new vendors trying to design single-pane-of-glass “CISO dashboards”, meanwhile *very* few security companies are truly focused on people (not just security people) inside of organizations.

@duosec is one of the few companies who has focused on people. @habitu8 too
Read 10 tweets
Profile picture
"Trump has used Harley-Davidson as an example of a US business that is being harmed by trade barriers. Yet Harley has warned consistently against tariffs, saying they would negatively impact sales"

Harley, hit by tariffs, shifts some production overseas apnews.com/6c8942f7363743…
Important issue highlighted by @riotwomennn: are tariff exemptions determined by bribes?

Corker: "22,000 companies have asked for exemptions.There is no basis to deal with them. Are they going to grant these exclusions based on political contributions?"
Trump’s trade war with the European Union is going to cost Harley-Davidson as much as $100 million a year and force the manufacturer to shift production out of the U.S. bloomberg.com/news/articles/…
Read 232 tweets
Profile picture
Youth speak up on #endingchildmarriage
'We are living at the core of the problem and we should be at the core of the solution!' #GNB2018
Her family tried to marry her off but she resisted. Now she uses rap music to spread the message on #endingchildmarriages around the world.
'We can do it if we work together.' #GNB2018
Message from the elders;
*"Take every opportunity to share insights and suggestions with each other."
*"Connect with each other to learn & align.
*"Inspire each other to reach greater heights to achieve our goal of ending child marriages." #GNB2018
Read 126 tweets
Profile picture
#Important:
Yesterday late afternoon #Russia/n forces took 3 positions in Qusseyr and Juseh and established checkpoints. #Hezbollah, not informed of the Russian presence, came close to these forces and asked their immediate pull out+
Following the direct intervention of President Bashar al-Assad, the Russian force pulled out this morning and avoided any clash with #Hezbollah in the area.

hezbollah maantin and kept all positions. The #Russia/n move was not coordinated.+

#Hezbollah did not...I repeat, did not pull out one single element from the area.

I spoke to people on the ground: The Russian decision was unclear and considered unwelcome by the forces on the ground. Still, many elements of this move are unclear.

Read 6 tweets
Profile picture
Thread: About a week ago, I, and a few other students, reached out to Marcus’ family about writing a etter to VCU on their silence surrounding the unjustified killing of Marcus-David Peters

#18daysfor18seconds #MarcusDavidPeters #vcu #rva #JusticeAndReformation #HelpNotDeath
We sat down and started drafting carefully pulling pieces out of VCU’s strategic plan where they have made promises to students and the community.

#18daysfor18seconds #MarcusDavidPeters #rva #vcu #HelpNotDeath
After review by the family, we were asked to read a portion of the letter at the march on Saturday. You can view myself and @khudaiii speaking here (and the other lovely speakers from Saturday!)



#18daysfor18seconds #MarcusDavidPeters #HelpNotDeath #vcu
Read 58 tweets
Profile picture
While the Left forces appear as one constituent mass of horse manure, RW is splintered into groups, all with different priorities. Such as..
1/ #core gang - want hindu rashtra tmr with Yogi ji as supreme leader, TFR>7 & Sanskrit poetry effusive on every lip. Everyone else = cuck.
2/ #EconRight - want free market for all goods, services or utilities, from ola cabs to roads/bridges. No subsidies, no govt. Culture, what?
Read 19 tweets

Trending hashtags

#capacity #Therapy #SDGs #TeamLegal #travaillonsensemble #prestashop #LikeClockwork #drupal #NorthAmerica #autonomy #fintech #transphobe #nextgen #decisionmaking #EconRight #instantpayment #Gnosticism #AliceInWonderland #fix #WeHaveItAll #UNWomen #knowledge #RescueTheChildren #SueMeGemma #plugins

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!