 So you're all here for the talk, the web's wayward sisters, performance, security, and accessibility. How many people here love Shakespeare? It was an unusual, I decided to go off and run with this as the subject of the talk, but I wasn't sure how much the line of a Shakespeare theme would actually attract people or not. But we'll just let some people settle in. So I want to first of all go off and thank Open Plus and Cold Front Labs for sponsoring this event. I also want to say that it's been really great to go off and have both these Drupal shops in the community. They've contributed in a lot of ways beyond just supporting this camp. So a good shout out to those two organizations and happy that they're part of this community. So I'm Mike Gifford. I'm the president of Open Concept Consulting, which is all the oldest Drupal shop. And we've been working with Drupal now for I think as close to 12 years. There's at least one guy here who's been using Drupal longer than we have. And that's Omar, and Omar is now working with Pantheon and has worked for a whole stack of other folks. But one of the things that we do at Drupal at Open Concept is we've specialized in doing work with accessibility and security. And to some extent we've done some work on performance as well. And I'm the Drupal Aid course accessibility maintainer and I've been working on accessibility improvements in Drupal since 2008. I'm also the founder of Aliyah, which is Ottawa's Accessibility End Conference. And there's a meetup group that people who are here in Ottawa can sign up to and is connected to the one in Montreal and Toronto as well. So there's a great accessibility community where you can learn about more about accessibility and learn some practical issues as you go along. Also the author of the Drupal Security Guide, which is sort of an overall perspective of how your security infrastructure is set up. And this is a free EPUB and PDF that we've produced that is very much community driven and that has insights on how to go off and to configure and store your Drupal environment. And also I've written some information on performance and blogged on how to go off and improve your sustainability and improve the performance of your website as well. So I've decided to go off and end in this presentation to look at the Shakespeare's Three Witches and to do the Scottish play. And it's something that not many people mix Shakespeare with Drupal, so I figured it was a fun way to go off and to begin. I've also, when I was thinking about things like security and performance and accessibility, there seemed to be in my head some similarities between these three subjects. And I also remember from high school taking McBeth and there's the line, when shall we free and meet again in thunder, lightning, air or in rain, when the hurly-burly is done and the battle is lost in one. You know, great little lines like that that sometimes echo to web development. And sometimes there's a bit of a battle to try and get the project delivered and get the client satisfied and to meet all the various demands and challenges that are necessary in implementing a web project. But I was also just coming back from Scotland when I was able to go off and spend some time there. Although I do like the veggie haggis and the Scottish gym, that wasn't the reason to go off and pick the Scottish play for this. But often accessibility and security performance are overlooked and left to the very last minute. And I think that there's so much that Drupal shops and organizations that are developing or that are using Drupal can need to think about these three elements differently than they traditionally have and to try and not leave the actual implementation of the last minute. So much of the time, these are things that are left to the last week and we just can't sustain that. It's not a good process moving forward. And I think that if we can try and address some of these issues earlier, we can go off and hopefully address this. So the three witches are, actually just to clarify, if anyone, I'll be using pictures of the three witches in all of the slides. So that's all the pictures are based on those photos. And I have some quotes on the bottom that are part of this as well, that are part of one of the lines from the three witches. The one on this slide is, there is foul and foul is there, hover through the fog and filthy air. And try to go off and intertwine these because I think that we can learn a lot from trying to go off and work on these issues together and trying to address them together as opposed to trying to go off and think of these as individual items that all have their unique challenges. The three witches represent darkness, chaos, and conflict. And we can try and shed some light on how to go off and deal with those early on in the process to see that we can deal with this better and earlier on. So double toil and trouble, fire burn and cauldron bubble, it's inevitable that when projects are being built, at least how they're built right now, that people forget about these three issues. And you sort of look at it in the last minute and all the pieces are thrown together and suddenly there's a challenge because it's too slow. You run on accessibility audit and the tools and you run into some errors that you don't even know how to address and how to go off and overcome. And you're not sure what kind of risks you're exposing the client to because the security component, although you may be trying to go off and use some of the best practices, it's hard to go off and monitor and build and maintain the discipline throughout the process of building the site to make sure that it's set up properly. Your site is never going to be fast enough, it's never going to be totally secure, and it's never going to be completely accessible. These are three things that are very common to these issues is that you're never going to get it perfect. These are all things that you need to work on throughout the process and that you're going to have to work on and through regular reviews and regular updates. And it's important to look at them through the maintenance or the development process, but they're also things that need to be tied to the ongoing development process as well. So these three issues are also ones that are tied to a lot of layers of technology. People don't think of them this way, but all of them have touch on more than one piece. In design, you can deal with your CSS, your images, and information architecture. You're not necessarily dealing with a lot of different technology and different technology platforms, but with performance, accessibility, and security, you're always having to deal with multiple layers of technology. You're also going to find that experts have various different approaches on how to go off and deal with these issues. There's not one agreed-to approach to make your site fast or accessible or secure. So juggling how you approach experts and how you deal with the information that's available is a challenge. And inevitably, one of the advantages of using Drupal is that you're able to crowdsource the wisdom of other people who've gone through and built these projects. Whereas if you're building custom code, often you're realizing that the solutions are going to be slower often. They're often inaccessible and often insecure. There aren't as many people looking at the code. There aren't as many people testing it to see if they can optimize the MySQL queries. And they're not necessarily as flexible as you need them to be. Most of the clients that we have are people that are not necessarily looking at how do we renew our sites on a regular basis to see that we're thinking about security performance and accessibility and making sure that they're... Most people assume that technology is something that's like a table or a chair. Once you buy it, it's there and it's as accessible and secure and performant as it needs to be. But of course that isn't the case. The technology is changing and trying to keep up with the evolving environments with which our websites are sitting in so that we can continue to see that we're able to keep up with the sites and the environments. So performance is often about removing bottlenecks and accessibility is about eliminating barriers. And often times security is about putting up barriers, putting up those roadblocks so that you have a reduced attack factor on your site. Again, these are things that are usually left to the last minute in many projects to deliver because it's one of the features that's assumed. All of these are generally motherhood issues when it comes to the web. Most of our clients assume that it's just going to get built in and it's part of the cost and not necessarily realizing that they could spend the entire budget on one of those aspects and to make sure that it's completely accessible or as fast as it possibly can be. All of these things you can spend a huge amount of time trying to go off and end to focus on. So I'm going to talk about performance. The quote here is, fill it to the thinny snake in the cauldron boil and bake. Performance is an interesting one because there's, again, a lot of layers used in the process whether it's the, if you're using a headless implementation or even if you're just using Drupal, there's jQuery UI as part of the process and it's being loaded. There's frameworks, whether it's CSS grids or whatnot. And I think that people understand that performance is important. People understand that nobody likes a slow website and Google's doing a lot of work to try and to give a higher search engine ranking to faster sites. So that's a wonderful thing to be able to see. And we also have, we know that a faster site will have higher user retention and that you'll have a greater success for your site if you're able to go off and to get users the information they want in a timely and organized fashion. And that being said, that's not the direction that most sites are going. The trend still is to bigger and bigger websites with more images, more bling and richer frameworks which offer more possibility for change and for functionality but not necessarily a light performance experience. And if you're in an urban setting and you have access to fast broadband, then you can deal with a heavy website. But if you're in many parts of Canada, you're not actually able to go off and having a big website is a real barrier to your ability to use it. And there's many parts of Canada that simply don't have the bandwidth that we've come to expect in your major cities. And if you're traveling or if you're trying to go off and to build services that are accessible to people in Northern Ontario or in rural PI, you might want to go off and think about what are the impacts of that. So the average website now is larger than the original Game of Doom when it first came out. And it's kind of funny that a video game of that complexity in that size is now being delivered for every page load on a website. And of course, when you're loading a website, it's just that first webpage you need to transfer all of the content and you don't necessarily transfer all of the content for every subsequent page you're using. At least hopefully some of that information will be cached in the browser or be cached with your service provider or for that matter caching a CDN so that it doesn't need to be loaded all the time. But there are still a lot of data that's being transferred on a regular basis and something that often impacts not just how people are thinking about the usability of the site but very much affects the environment as well. How many people are concerned about the environment and climate change and that kind of stuff? As big of an issue as the global air traffic is, a bigger issue is the data centers around the world. They're growing exponentially and the amount of electricity that is used to power those data centers is vast and it keeps as the more we have our devices on us and the more internet of things or sensors of things get driven, the more we're storing vast amounts of data on the web and it's costing us a lot in terms of the energy to go off and drive this infrastructure but also so much of the data centers are still powered by coal and if they were at least powered by renewable energy then that would be good and there would be less of an impact if they were all sourced from renewable energy but there's even the big players that Google is moving more quickly than most towards renewable energy Amazon, their new data center in Canada is based on what's all powered by Quebec Hydro so it's reasonably clean as far as the energy source goes but it's trying to be aware of the impact of that network and the impact of this technology. Do we need to be storing this data? Can we find ways of... If we know that the homepage is going to be loaded by 100,000 people if you think about the cumulative number of bits that are being transferred from wherever it happens to be hosting to people's laptops around the world that has a huge amount of energy consumption if we can reduce that and take responsibility as web developers to try and find ways to reduce our impact not only are we going to have happier customers because the sites are going to load faster but we're also going to be able to take some measure of responsibility for reducing our potential impact on the planet and that's something that we all have responsibility for So as I mentioned before, Google is looking at the performance and looking at the mobility of... How well your website loads and how... A lot of these metrics are now being tied up and being monitored by Google as well So if you... How many people here use the Chrome... the developer tools and Chrome and the inspector tools? So you'll notice now that there's under the auto report function the ability to look at the lighthouse and get an accessibility audit and a performance audit of your website already built into the Chrome tools so you can have a sense of where some of the bottlenecks are and where some of the obvious accessibility problems are through some automated tests that Google is providing in their development suite and if Google is building this into their browser they're expecting you to use it and expecting you to go off and evaluate it so that there's a... in terms of trying to develop for clients having sites that are... Google is aware of these three issues and is penalizing people for not looking at these things effectively So accessibility... I agree to toe a frog, roll a bat, and tongue a dog Shakespeare had some funny ways of expressing things There's different seats over here and on this side accessibility is very much dependent on the design and the frameworks that are used and it's also something that is dependent on the browser and the operating system and the assistive technology that's being used It's not something that is a... there's lots of different ways that people exist online and different abilities that they have that they can interact with online and trying to go off and build an accessible website is probably to try and to think about how other people are engaging with your site and engaging with the information that you're trying to present and there's a bunch of people who are probably at Everett Zufeld's talk this morning it was great to sort of highlight the impact of people who are both keyboard only users and also the blind users and those are significant The keyboard only user population is quite a bit higher than the blind user population but accessibility is a lot deeper than that and one of the populations that I think everyone is looking about at some level is the baby boomer population and accessibility is going to affect them more and more because as we grow older our abilities degrade over time Our outside is not going to be as good as it was when we were 20 Our ability to go off and manage fine motor control is likely to be as good Same with our ability to deal with page navigation and basic comprehension of the information architecture All of these things are things that slowly begin to degrade over time and I think that there's no organization in the world that's willing to simply just write off the baby boomer population They've got too much political and economic clout and also when was the last time the baby boomers were denied anything So it's something that legally and politically there's a lot that they are able to go off into muscle and I think it's really something that most organizations need to be thinking of There's a try to go off and understand how people interact with the web and the different ways that people are able to overcome their information Tim Berners-Lee was very when he was crafting the web saw this technology as something that could really help to be a platform that leveled the playing field and allowed everyone to be able to engage and interact with each other and that's a really useful goal and vision of how the web should be constructed but it's something that we've sort of forgotten because the web as it has matured has sort of chased the latest shiny flashy thing and there's been a drive towards the bling and not necessarily that much attention paid to how do we actually make sure that the content that we're creating is something that will be available to the broadest number of people as possible So the thing about accessibility is that there's a legal component to this as well In Ontario, there's the AODA Has everyone heard of the AODA? The Access for Internals with Disability Act So this is a really interesting set of progressive legislation that is not just affecting governments and those institutions but is also affecting any business that's dealing with people over 25 employees there's implications for a range of different people there's legal implications to not addressing this and to looking at your website both as a consumer or as a producer of content but also as something that is highly staffed and accommodated in your own staff How many people here have American clients? So the US has a whole other bailiwick of legislation as do people in the UK and France but the US Section 508 is an interesting set of legislation that has gone through a revision and both the Americans with the Disability Act and Section 508 have recently adopted the international standard of WCAG 2.0AA as the standard and if you are an organization that has a website that is not a private club or a church you could very well be sued because your website is not meeting those basic accessibility guidelines and that's something that most clients are not aware of and something that there's an increasing number of organizations that have been sued because of their accessibility challenges with their website in the US Fortunately that litigious approach hasn't come up to Canada but the Canadians with the Disability Act is probably going to be announced next year and it will be interesting to see what the responsibilities and the enforcement techniques within the Canadians with the Disability Act are going to be here in Canada so security has some similar risks so the quote here is at her spork and blind worm sting, lizard leg and howl its wing sometimes you get into the grunge of a development project and it does really feel like this kind of feeling yeah, just as often technology is not as clean and easy and simple and straightforward as we'd like it to be and I like the magic elements and illusions to these dark mysterious powers from the three witches here but yeah, you can definitely have legal implications for not securing your website as well and so many people out there think that they're not going to be a target of something, there's nothing that they have to hide they're not particularly concerned about security because really they have nothing to hide and nobody is targeting them but what most people don't realize is that everyone on the internet is a target there's a bot out there which is looking for people and servers to compromise and for new marks to be able to pick out and exploit and if you're not concerned about your users and their privacy and the ability to go off and to use your database and your site as a way of spearfishing individual users this is something that will come back to haunt you over time and very much there's a legal implications to not securing your infrastructure not doing due diligence to see that your information isn't... yeah, that you're securely managing it it's certainly one thing if you're more serious if you have credit cards online but it's also a big issue if you have other communities of people that if you have a lot of people who are logging in and setting up accounts and are storing personal identifiable information on the site how many people know about OWASP? so it's a security, it's the open web application security project it's a great community of people that are looking at both highlighting big security problems in the web worlds but also putting forward ideas and suggestions for addressing that and it's definitely a good place to learn from that and so many organizations tend to forget even the basics of security and one of them that I keep reminding people is just update your site early and often don't wait too long and make sure that you've got... if you're setting up a website trying to make sure that you are not waiting until the... you should be applying the updates within a day or two of the release and some issues you should be updating them within hours people know about the Drupalgedan attack that took place two years ago now, something like that and within Drupalgedan there were, after the release of the patches there were bots developed to try and search out problems with websites and within seven hours of the security notice would be formally released there were automated bots that were calling the web looking for Drupal websites and trying to take advantage of this exploit and it's not just about trying to go off and take advantage of one website and being able to modify the code base or the theme or the look of a website with Drupalgedan and similar hacks you could take over the whole operating system and the database and do some significant damage not just on trying to go off and to pull information down from your website but actually being able to establish control of that website and make sure that you're able to, on an ongoing basis, pull information about the users and about the data that's being transferred and to monitor that and that's the... it's much more dangerous to go off and to have a bot actively sitting on your server than it is to to have somebody do a one-time drag and drop of your user data because if they're actively watching and monitoring and exploiting your website over time, just in the background they can get so much more information simply by being there so we've got a free security guide that's available on our website and we went and wrote this guide because because we were hired by CISIS to go off and to deal with an issue with their site when their recruitment website was hacked by a Viagra scammer and it was a rather embarrassing thing for Canada's top spy agency to be hacked by a Viagra scammer but it was a very public thing as well so there's no NDAs that were required and I was able to go off to write some documentation and release this documentation to try and help other organizations deal with understanding the complexity of securing your whole server environment and also to be able to talk to management about how important it is to address these issues early so many of these problems are things that technical people understand but management isn't necessarily going to prioritize so how do we try and take these ideas and make sure that people who are actually controlling the budgets are able to understand and to value so let's get back to some specifics so the quote here is for a term of powerful trouble like hail, broth, oil and bubble so with Drupal 8 you've got some great advantages with performance it is slower directly if you compare with Drupal 7 loading the same content but there's a bunch of stuff that's being built into Drupal 8 which means that if it's configured right and it's setting up the same server it can scale much better and do much better overall than Drupal 7 can because of the infrastructure investment that's being done by the Drupal core community so one of the elements is that JavaScript is running on the footer so again this is stuff that happens and you're able to by default set up websites so that your initial page load isn't going to be waiting until after the JavaScript downloads there's the image cache module that is built into core in both Drupal 7 and Drupal 8 and if that's set up properly you're able to go off and make some sensible presets for image processing to try and reduce the size of the images that you're managing in Drupal 8 we've replaced a number of PNG files and GIFs with SVG files and that's useful as well to try and both deal with the mobile implementations and for that matter Drupal is being used to deliver so much these days and to have having Drupal websites deliver either ticket things or it's used for a lot of information so it's not something you can assume is going to be sitting on a desktop or laptop device so there's a lot of improvements that have happened with caching in Drupal 8 and that's huge that the caching engine is being rewritten to see that by default the page caching is managed better there's default support for PHP 7 which again Drupal has tried to go off and to help push the PHP community and to push adoption of better versions of PHP instead of supporting the old legacy PHP versions and Drupal is really trying to take a leadership role in getting people to adopt the latest version so that we can deal with more modern implementations of PHP and to have a faster, more secure code because of that after Drupal 8.1 big pipe was implemented and does everyone know what big pipe is? so big pipe is basically how Facebook pioneered how web content is being delivered so instead of having to instead of loading a new page and relying on page caching the Drupal or through big pipe is now able to go off and send pagelets or little components of the pages to your browser and so instead of sending all of the page content and having that be loaded on a demand you can just send specific pagelets that allow your website to more quickly load because you're not having to refresh everything you only have to modify the pages that change as you jump between pages and that's certainly a huge advantage as well there's also better support for HTTP2 HTTP2 has a server push functionality that makes sure that your style sheets and javascripts and other elements are able to be all sent at once in a proactive manner instead of being queued up and sent in separate requests so it's a much more forward thinking way of delivering pages how many people have jumped over to HTTP2 for some of their sites? no? there's definitely some advantages to that also on performance there's great use of modules like the fences module and display suite when you're doing your development you're actually doing your theme if you can eliminate any code that doesn't need to be presented if you can simplify your HTML while you're doing the development and before you actually do the heavy theme of the site you can again, the less HTML you need to send across to the browser the more performant it's going to be so thinking about that process in the development and the longer it takes you to go off and do that like if you've waited until after the launch of your website to go in and to look at performance you're going to need to then go through and look at all of your javascript and CSS and verify that that all works so again, the earlier that can be done in the process the easier it's going to be for the maintenance we know our clients are going to want this and we know our clients are going to want to have fast websites so how do we build that into the process to see that we're actually able to pay for the development of that additional time to see that it's done properly the lazy loader module is also available in Drupal 8 the image lazy loader module which just basically means that the images can be loaded the images on the bottom of the page can be loaded afterwards or only one page is refreshed so again it's a good way to try and reduce the number of bits that are being sent for the browser or at the very least to be able to reduce the number of bits that are being sent early on so that you're able to get the information as quickly as possible to the client and another thing that's always important in websites is to disable any modules that are not being used and that's something that is often forgot the number of websites out there that are in production and still have development on them or for that matter if your site isn't being actively if you're not actually working with views regularly you can disable the views UI interface and the less code that's running the faster your website is going to load and also the more secure it's going to be so D8 accessibility this is the piece that I know the most about since I've been pushing Drupal 8 accessibility since 2008 quote here's double double toil and trouble fire burn and cauldron bubble so some great things we've added in Drupal 8 we couldn't add area WAI area in Drupal 7 it was a little bit too early there's some pieces where we were able to add that level of where we had to add it even though the area standard was not finalized so in Drupal 7 there's a couple instances where we do have area but we tried to really avoid that because of problems with the implementation because the standard was still being developed and changed but in Drupal 8 it was a fixed recommendation we were able to implement that likewise HTML5 was solidified at that point and we were able to bring in a bunch of native elements from HTML5 to be able to address that and HTML5 has the advantage of exposing a lot of other semantics so the information about the web can be exposed and leveraged going ahead so whether it's the footer element and making sure that your page is clear to everyone what is the information that's in the footer of your web page versus your header versus the navigation versus the main content all that stuff is structurally set up whether you're dealing with an article whether you're dealing with a there's more options to go up and express that semantics and it's really helpful with not just the dealing with people using the system technology to navigate your website but also people who are using other technologies to access your website the semantics that we've built into Drupal 8 will help you with your mobile presentation it will help with the if you're trying to go off and do voice integration that will help with that as well it will help with accessing bots if you're trying to go off and integrate an AI information having that additional semantics built into core and having structured content will help you present better content to everyone we've also Drupal 8 made a lot of improvements to color contrast to low vision we've added pieces of the of the WC3's ATAG the authoring tool accessibility guideline and this is ATAG that I'll be presenting on tomorrow morning and it's an area that's often overlooked because people think about people don't tend to think about what happens when content authors start adding content but generally what happens when as a webshop we hand over a nice shiny CMS to a client the client starts adding content and even if we had to give them a perfectly accessible website beforehand as soon as they start adding content the accessibility goes down because they haven't trained the content authors to be able to produce content that meets the very technical WK standards so if you can build in logic into your CMS to be able to guide people and provide the training wheels that users can have to help direct their content produce better content then you're going to be much better off in terms of accessibility one of the things we've done before this is to require alt tags on images so between Drupal 7 and Drupal 8 you're going to get a prompt if you try to upload an image through the user interface and don't have alt text on it and you're going to have to either fill in that alt text or disable that alt text in order to go off and to add that image and that's something that is we haven't done any tests on this to evaluate this but I'm confident that just having that prompt will ensure that Drupal websites are going to be more accessible in their content simply because users have been prompted to enter the content and there's a lot more that can be done in this but we've started down the road of building in these improvements to the authoring experience there's also improvements we've made to the table infrastructure so in Drupal there's a lot of tables both on the admin side but also with views views is such a powerful query engine but a lot of times you're producing tables at the end and there's now the option to provide summary and caption information so that you can describe the table that's being used and get a real sense of what are the elements that as a blind user what would you need to find out what is this table trying to express and how do you address that there's also inline form errors which have now become part of it's no longer an experimental module it will be included in the default of core it's not going to be enabled by default but it's something that's available in core right now and in the next release and if you're looking at doing Drupal development and developing your website I do recommend that people look at tools like the Wave toolbar and Tenon they're great tools to provide a visual sense of how accessible your website is and these tools are automated tools that will only probably grab about 20% of the accessibility issues but it's really important to at least make sure you've got those automated tools in place to be able to deal with those don't worry about testing the screen readers just yet usually developers it takes a long time to be able to understand how a blind user uses a screen reader it takes no time to go off and understand that the red icons with the Wave toolbar are bad and that you can fix those with some simple changes to your HTML and there's also to mention that Aaron Marchak and David McDonald are doing a great talk on WCAG 2.1 accessibility is a moving target the guidelines are changing the web of WCAG 2.0 was written or was released in 2008 so a lot has changed on the web on that time and these guidelines are being updated and the expectations of the web developers to keep up with those accessibility guidelines is we're going to have to learn this as well so this is changes that are a part of it so security is also an important thing to try and keep keep updating and in terms of Drupal 8 we've got Twig now so we're no longer having to deal with PHP template and the it's so much harder now to go off and to to have a designer throw massive PHP many structures and giant PHP code in your template because there's that further segmentation of the design and the logic of the site so that's been a big push for improved security in the Drupal community and there's now in Drupal 8 a public file base URL there's a limit to the number of file upload attacks there's a trusted host pattern we've removed PHP filter PHP filter was fun but it's a little bit too dangerous and certainly the possibility of exploiting code if you've ever had to deal with a website that has been compromised and had PHP filter enabled it's like where are the problems they could be anywhere it's a real nightmare when you do run into problems YAML files which are great to sort of hard code your configuration which again makes it harder to hack when there's changes in the code base you can take your code base your configuration and you can put that in to get and make sure that that's managed separately from what you can access through the user interface there's a hardening of user session handling, automated CSRF token protection there's we've stripped out the domains out of cookie domains so that the www dot is stripped that again helps with security there's improvements to mysql and some click jacking protection and some javascript api improvements as well but in terms of recommendations for people who are using Drupal 8 definitely recommend that people use the coder module to do a review for your sites any custom code you've done and if there's any modules you haven't reviewed with coder it's useful to go off and see if there's anything that's not being developed for the Drupal best practices and anything that's out of scope with that and if there's any the coder module can look for things like the sql injection attacks and identify those there's also great modules like the security review module that isn't formally released in 8 but there's a a version available in git that you can use don't use this on your production websites these are tools that you want to use on your development site and something that's at least behind a password so that people on the internet can't go off and hack it it's definitely a point of vulnerability in terms of security if you're developing a website open and don't have any and you're not applying security releases while you're doing the development of the website that site could be hacked in between when it's being developed and when it's launched so if it's sitting on the internet it needs to be updated and it needs to be updated regularly and another two modules that are worth looking at the site audit module and the hacked module I do like the hacked module because it does show you when there's changes in the code base and if the modules that are released have any sort of variations it may just be that there's a patch that you've applied that hasn't been brought into core but it's useful to review that and make sure that everything in your code base is aligning with that central repository of information on Drupal.org and that commitment to that central code base is a really important part of making sure that your site is secure and disable unused modules for performance it's also really important for security so cool it with a bad news blood and then charm is firm and good timelines so there's the earlier you can look at performance issues in your development cycle the more you can do testing to see what is your benchmark at each release so that if you've added a new module or added a new functionality that you can compare the performance with the last release and the current one that will certainly help if you can spend time going off and properly setting up your environment it's one thing to go off and to assume that that big pipe is something you're going to be able to turn on in the end and be able to run with but it could be that there's some conflict in a module that you're using that may interfere with big pipes so again if you're developing with it and are doing the testing with these modules to make sure that they are going to be performed you're not going to be surprised at the end and you're able to go off and to more quickly react to issues when they come up and you definitely when you're dealing with performance issues so much the time it comes down to caching and that's a real annoyance for developers it's just dealing with which is the error where is this content that you're cached and has this problem really being fixed and how do we make sure that the site is properly the cache is being cleared properly and managed properly so with accessibility making sure that your developers and designers are using automated tools to check for common accessibility problems and have that really early is very important for developers now that have been developed and are being improved to go off and to do automated checks so XCOR is one that DQ has put out that is released on GitHub and that's a good open model to go off and to build on and that's the engine that the Google's Lighthouse project is using so again that's getting some good support from the Google community so it's at least a simple one to start with in terms of automated testing but you can also look at in terms of accessibility you can go back as early as the wireframing to help but certainly you can look at accessibility in the wireframing process and Aiden Turney has presented a number of times on how they are using accessibility in their wireframing process to alert designers and developers about some of the problems and some of the functionality that is expected and how what are the things to look out for when you're developing a site and to make sure that it's not sort of an aha at the end of the project, that it's something that is caught as early as possible because it's so expensive the later you wait to fix an accessibility problem the more expensive it becomes and we've also built a lot of accessibility best practices into Drupal and the more your team can learn about those and try to address them into your building your software development process the better it is one of the easy ones is dealing with CSS display none we have a centralized process for dealing with CSS display none to making sure that content is invisible or visible on focus and if you stick a Drupal standard for this then you're going to be able to update that more easily in a central location whenever the assistive technology and the browsers decide to go off and change how they're supporting that the other thing that we've added in Drupal 8 is the tabbing manager to make sure that you can control your workflow and tabbing and also having a Drupal announce to see that there's a central way to manage area implementations and to control that through JavaScript and security you know you make sure that you've got some automated testing on the modules of the custom code that you're looking at making sure that your developers are developing to the coding standards and it's also when you're choosing your modules try and look to see that you're choosing modules that are supported by the Drupal security team there's a lot of modules now that are officially not putting out secure releases that have not been... you can opt out of that security monitoring by the security team at the moment and so make sure that when you're choosing your modules you're looking at that and to see that you are trying to see that you're keeping up again with the modules that are going to be supported for security going ahead so running out of time here so in terms of best practices I think that it's useful to go off and start with Drupal to leverage Drupal's APIs to start with the core themes if you're themeing a website you can now go off and use Classy or standard as your base theme but also the Xenon adaptive theme are good themes to look at because they have been so tested particularly for accessibility but also for security performance I would recommend that people don't go with headless just yet not because it can't be done but because it's a whole other community and a whole other set of information and headless Drupal is just at the moment... headless approach is generally strip out all of the work that's being done to improve the HTML and the semantics of Drupal and it's I don't know yet of a good pattern for going off and addressing accessibility in a headless implementation using automated tools is useful but also doing keyboard only testing you can do a lot to try and find accessibility problems simply by tabbing through the website and so many times you're going to find that the menu doesn't work for keyboard only users or that you can't get to certain pieces of the website or you don't know where you are because they haven't brought a focus element in to see that there's some visual indication of where you are whether the designer has gone off and used outline colon zero or has simply styled it out but trying to make sure that a keyboard only implementation has as much or more implementation or more representation visually than a mouse would have and in terms of security start with a secure server environment and make sure that you're keeping your site up to date and making sure that you're only managing the code that you need to manage code is debt and if you have a lot of custom code that's a lot of debt that you're having to maintain. If you're able to leverage the Drupal community you have a lower responsibility for what you've selected good well maintained modules that have a good community of people behind them and you're participating in the issue queues for the modules that you use to try and make sure that you've got more robust and more feature rich applications you're going to be better set for having a module be maintained by the community and separation of presentations and code is quite important and we've accomplished quite a lot of that through TWIG as well and what else so this is Joey's kitten and I got to say that there's an element in the Drupal community to talk about in beer or free as in speech I like to think about it as free as in kittens so you can be given a wonderful kitten but if you don't feed it and take care of it and play it then it will go off and rip apart your furniture and tear your eyes and maybe it will starve to death or maybe it will eat your goldfish but you need to think about free as in kittens and find ways to nurture that community you know contributing to the community coming out to events like this contributing code back to the community I was really hoping that Alex Bonilla this morning was going to be talking about a shared first approach and the idea that the US government has tried to implement in terms of code.gov and how do we try and make sure that we're contributing the government is contributing back on these issues and we didn't quite get there today but hopefully that will be something that they'll be able to embrace fully like the 18F community and others like the GDS team in the UK have done so and with that thanks again to our Diamond and Platinum Sponsors and if there's any questions please let me know no questions? You said you said you liked your white necklace right? You said that you don't have yet like a solution for this but is there any solution for you at all? There are approaches to developing a reactive angular to be accessible and there are there it can be done but it comes down to ensuring that what are the defaults and what does your community need to do the Angular and JavaScript communities defaults to see that they are using the proper html involved It's a change on their side It's a change on their side so it's trying to say what is their community doing to try and make sure that their sites be developed towards best practices as opposed to what so many JavaScript people do which is let's go off and what they tend to do is is take dibs and then apply area to the dibs and just style up the dibs and it's like well that's not a good approach the first rule of area is don't use area you know use area if you need to use area if you can't do with html then use area but so much of the accessibility can be done with or so much of this magic time with html so don't use area before early on in the process so Any other questions? Automated tools but they need more access to minutes they need to understand how to verify to the site do you have any sites how do you love to be a part of the audio on the sites and look for assistance or meeting or not how do you insert right I wish the government was using good approaches and was contributing back to them mostly they're buying on to commercial services to do audits and catching the problems after the fact so the government is not a good example of how to do this anyways thank you very much