Making Critical Updates Easier – What You Should Know

Professional developers–creating open source or proprietary software–have to take responsibility for every line of code they commit to a project. And they have to commit to keeping it up to date. Is the cost and pain of keeping your site updated leaving it open to vulnerabilities? DDEV is here to help make updates easier!

The cost of (not) updating your site

The Drupal Security Team assesses vulnerabilities against a security risk level standard and has marked the one for March 28, 2018 “highly critical”. Highly critical vulnerabilities include “Remotely exploitable vulnerabilities that can compromise the system.” The implications of not implementing this release as soon as possible are serious.

In a rare move, the Drupal Security Team gave the community a week’s warning to prepare for this major security patch. This highlights the speed and severity at which this vulnerability might be exploited. In 2014, Pantheon monitored the attack patterns after the so-called “Drupalgeddon” vulnerability was exposed. Within 24 hours their site had sustained over 500 attempts to exploit the known flaw. This highlights the speed at which such disclosures can be turned around and put to malicious use in the wild.

Locks keep out honest people. If someone wants in, they’ll get in. Researchers from SiteLock found that typical sites are exposed to 44 attacks per day on average and 16k attacks over the course of a year. SiteLock reported that about half (46%) of WordPress sites were infected with malware, even though they had applied the latest core updates. Many of the vulnerabilities are not in the core software, they are in the contributed code such as WordPress plugins or Drupal modules.

In the PSA the Drupal Security Team said they urged readers to “reserve time for core updates at that time because exploits might be developed within hours or days.” They are also releasing patches for recent but no longer officially supported versions of Drupal 8. Not every open source project would do the same. It seems like they’re acknowledging that not everyone is keeping pace with updates.

Jessica Ortega, a security analyst at SiteLock said: “most small business owners typically don’t have the time or resources needed to stay on top of all security updates.”  Site maintainers aren’t always keeping up with minor point releases. Sometimes it feels like the level of effort required to update a site doesn’t justify the reward. Keeping your site up-to-date is essential to keeping it secure–not just when major patches are released–but it shouldn’t hurt so much to apply updates to sites that people avoid it.

How to make it easier to keep your site updated

As a digital agency responsible for a lot of client sites, you’re not just managing one application or one property. You have a lot to do and not much time in which to do it, as Rick Manelius, Chief Product Officer at DDEV, points out “If you have 200 sites it can get tricky. Particularly when you have to deploy across multiple hosting providers.” A security update isn’t a release you can sit out.

You might also have different client sites on different versions of the same CMS, adding complication to your situation. It’s not unusual for companies to sit out minor releases if they are features that aren’t relevant to a project. And intermediate point releases might include changes that could break your otherwise well-running sites. Many who maintain Drupal 8 sites still haven’t updated to the latest minor release, 8.5 which came out March 9, 2018.

Rick said in his previous agency, the costs of updates was directly related to the speed of the tooling available. “If a client came back with change requests after we deployed to GoDaddy, it could take us an hour or two just to track down the credentials, pull down the site, and address any inconsistencies any changes to the codebase before we could start doing any work. Sure, you may have saved money on $10 a month hosting, but there’s no toolchain to push up or pull down.” Clients didn’t seem to understand the trade-off, and would say “You’re telling me for a 5-minute change you have to charge 3 hours?” There are no cost savings if your site is also exposed to major security vulnerabilities.

With better, more automated toolchains you can speed up your response time. We spoke recently to Danita Bowman who said the DDEV integration with Pantheon means she can quickly download and provision a site in a local, managed environment. “All I have to do is just click the button, basically. I just pull the site up to work on it and push changes up.” DDEV-Local saves her significant time. And it’s the same with integrating with DDEV-Live hosting.

Use a containerized development workflow – This means each instance of your site, whether it’s on your local development machine, or a colleague’s machine is consistent and stable. When you set up a site in DDEV-Local, you have everything for that site in an isolated container.

Prepare for the worst-case scenario – You may need to roll back a site. Make sure you’ve tested this process, and that it will be easily done in a high-stress situation.

Use hosting services that provide automated back-ups – Tip: If you can’t easily backup your site on your current hosting provider, NodeSquirrel provides an easy and affordable solution to pull a copy elsewhere. The Drupal Backup & Migrate module can also export your site backup to S3.

Keep your software up to date – Make sure DDEV-Local is up to date. Follow the steps for Installation and Upgrade for your operating system. After that, keep your CMSs up to date.

Get started with DDEV-Local today!

Share this post: