 All right, I think we'll get started. OK, thank you, everybody. Welcome to the Drupal security panel. This session is proudly sponsored by Skipper, the Drupal hosting platform. So Skipper suited to organizations who want fully managed platform for hosting all their Drupal sites on a fully managed, high availability Kubernetes and AWS managed services. Security is the important part of the platform. That's why we wanted to have this discussion specifically around security. Skipper provides a number of security features, including read-only containers to prevent any malicious code from being run on your site, secrets management for securely storing API keys and passwords, things like that, automatic certificate generation so that every site has HTTPS by default and automated creation of sanitized database images, Docker images for sharing databases around from development environments and test environments and so on, as well as account isolation. So we use individual accounts per organization for isolation. So yeah, please join us at the Skipper booth or contact us directly at info at skipper.com.au. And with that, I'll move on to introducing our panelists for today. So first up, we have Nick Xu. So Nick Xu is the operations lead at previous Next and the architect for the Skipper Cloud hosting platform. We also have Lee Rollins. Lee has been working with Drupal for 12 years. Nine of those is a senior Drupal developer with previous Next working on some of Australia's largest Drupal projects, and he is a top 10 core contributor, core framework manager, and a member of the security team. We also have Joseph Sauer. So Joseph is part of the less visible team from the Department of Finance, who works behind the scenes to keep GovCMS distribution stable and secure, is also a provisional member of the Drupal security team. And lastly, we have Nick Santamaria. So Nick is a senior DevOps engineer at the Victorian Department of Premier and Cabinet. He spent his early career specializing in Drupal, eventually focusing on cloud-native technologies such as AWS, communities, and Terraform. So welcome, everybody. All right. So I've realized we've got a fairly short amount of time, so I'll get straight to the questions. So first up is, how has securing Drupal sites changed over the last few years? And I think I'll pass this one to Lee first, but feel free to jump in whenever you need. I think the biggest change has been moving to Tweed with auto escaping in Drupal 8 and 9. So it's much harder now to XSS, to leave XSS vulnerabilities open in your code if you're a front-end developer or a back-end developer. Yeah, I mean, other than using the raw filter, it's near impossible to do that. Yeah, I was just going to say that back in the day, you were a Drupal security expert if you use the filter XSS function. But now the technology landscape in Drupal has evolved so much that you can really specialize in architecture security, back-end, front-end, encryption technology, so that there's a lot more diversity and maturity in the security landscape. Anyone else? Can we jump in on that one? Yeah, things have gotten easier and harder. Like reflecting on this question, things have gotten easier, like things like certificates, things that like would years ago be a manual process that took a lot of stakeholders to make that happen. Like that just went away. But at the same time, we also, the apps that we're building are much more feature rich and include a breadth of, like they're very deep. Whether that's a front-end framework, Drupal, the hosting architecture, things have gotten a lot deeper too. All right, Joseph, you want to add to that? No, I'm a good on this part. Thanks. Okay. All right, the next question. How have you seen organizations responding to the advanced persistent threat of cyber attacks that has been widely publicized in the media recently? Who wants to take that one? So yeah, working in the public sector, this is like a thing that's kind of from a mind at the moment. And the upper echelons know this and they're investing a lot in like staff education for social engineering and efficient attacks. So people are aware of it. And that is leading to like a culture of security, which is a really good thing. You're also doing stuff like making sure all of our life proactively, making sure our S3 buckets are secure and they control all of our applications and servers are patched. So just really making sure we're nailing the basics. I also think it's a legitimized tickets or raise the importance of tickets in people's backlogs that are security items. Like I think it really like for a mass like clients said, okay, cool, what can we do? Like what can we do that's extra? What can we improve things? And I think that has led to greater adoption of security based tickets in backlogs as well. It's really legitimized that from what I've seen. All right. Next question. Many organizations now have tens or hundreds of Drupal sites. What are some of the ways organizations are managing Drupal security across so many sites? And I'll pass this one to Joseph. Yes. So it's like, as you know, it's like CalCMS. We have almost 300 government Drupal sites from about 100 government agencies in the production environment. And these sites are built based on other Drupal 7 or 8. So it is a really big challenge for us. So like some key things like I want to mention is like in our organization. So the first one is like in favor of Drupal security, like the different ratings, we have a CalCMS internal rating. So for example, we take it a critical issue. It must be released and deployed within seven days. And another method we are using is that not only we have an operations team who take care of local base update deployment, we also have a security team being set up. So we have dedicated security officer who is like actively monitoring the Drupal security update. Okay. Thank you. Nick, what's going on? I just want to take this opportunity to pimp out my 2pm talk, which is how to effectively manage a fleet of sites. So I'm going to talk a lot in detail about things that we're doing to make that simple. But you know, it comes down to standardizing as much as possible, automating as much as possible. And yeah, just really trying to maximize your developer productivity through not having to do not miss things. Anyone else want to jump in on that one? I think that's really interesting. My answer, my kind of preloaded answer was very technical around platforms, but I think it's very true. It's not like the technical side is can be hard at that scale, but it's like governance is a big, big, big component of that. Yeah. So I want to add one thing is like instead of the traditional way, we also have like set audit to be set up based on scrutiny. So basically, we can do a nightly set audit report to every site. And another day, let's see, you know, tomorrow morning, a security officer will review those reports and create a jury ticket for any suspicious behavior. Then like the developer will jump in to like troubleshoot or discover what happened. Okay, great. I'll pass this next question to Leigh. How are customers driving demands for increased security and what are some examples? With the customers that I'm working with, I'm seeing that more and more of them have their own cyber security departments or special departments or staff. And typically three or four years ago, when you were building a site and go live, you'd have a penetration testing to be interacting with the product owner on that, but now finding more and more interacting with the specialist cyber security teams at the clients. So it's kind of indication that this is taking seriously now. I think that's driven things like two-factor authentication. Like those teams care about that a lot more. I don't, it's like they just understand why it's, why it's, you know, such a critical part. Yes, I agree. From GoCMS is like two-factor authentication and web form encryption. They are driven by the clients. Yeah, so that's the other aspect. It's what you're storing too. I think people are looking at what they're storing now after recent announcements. All right. How do you think the Drupal community could collaborate better on improving security? I'm going to jump in here if that's okay and just give a shout out to Joseph. The Drupal security team is a group of volunteers and not a huge group, and everyone's doing it in their limited free time. And so getting more bodies on that team helps. And so Joseph's joined recently and immediately had an impact. I think everyone else has got an interest in that. You can go to security.drupal.org and there's a form of there where you can apply it, particularly people with skills in Drupal 8 and 9 because we don't have as many people with those skills. I want to thank Lee who encouraged me to share my knowledge to Drupal security team. And what I want to add is like, from my personal experience is like, don't be a guest. Contribute to Drupal security team. You can report security concerns, helping the tests, do the reviews. So Drupal is an open community and I think it needs everyone's time and effort to make it better. What about on the infrastructure side of the things that we could be doing collaboratively around infrastructure? Yeah, I think the ground's shifted a lot below Drupal in the past four or five years, like the landscape for actually deploying an application has changed and Drupal is no different. Yeah, so I think there's still work to be done there, especially in the container space. We have a lot of literature around. Sorry, Nick, you mean more like a community set of base containers or something like that? Yeah, something along those lines. I think we can solve it in a technological way like that and also through thought leadership in this new, like we have plenty of literature around deploying Drupal on a VM instance with Nginx, PHP, FPM or Apache. That's a very well trodden path, but moving into containers. And yeah, so yeah, but I would love to see some base containers created. Do you think Docker containers suffer from, I guess, the old inheritance versus composition problem where it's very hard to add your own specific stuff if you're going to rely on an upstream container? Yeah, and I think everybody, like there's a very varying degree of workflow in the community, which it's worth going through and defining what that is. I think if people are going through and using a composer-based workflow, then they would lean towards more using a PHP container. Yeah, anyway, I think that there's a lot of work to be done here. All right, I'll move on. What are some of the most important changes developers can make right now to ensure their sites are secure? I'll jump in there if that's okay. I think if you're using the raw filter in Twig, don't. If you have a full HTML input filter, get rid of it. Yeah, and obviously, they've never trusted you to input. I think if you can set up automated composer updates in a CI pipeline or something, that is going to give you an immediate benefit. If your developers can roll in on a Thursday morning and there's a pull request with Drupal Core updated, that's like several hours of productivity a week saved. Automated updates. And inherit a pull request-based workflow, if you don't, or if you do, then also include other members of the team to review. You'd be surprised how much gets picked up. Yeah, I would like to add one thing to the pull request review is that we used to do just a technical review, but recently we add another layer of review, which is security assessment. I think if your team have enough resources, it is worth to do this. Okay, go ahead. Okay, so I guess it's more of a hosting side. What are some of the key features of a hosting platform for hosting secure Drupal sites? These are read-only file systems. You got it again. Go Santa. Ah, yeah. Yeah, like Nick said, I had read-only containers as something that's very important to us. Another thing is like role-based access control for platform actions. Who can deploy prod? Who can get a shell on an environment? Yeah, web application firewalls, like a WAF, that's also another thing that's becoming mandatory for us in terms of being able to just block your OWASP attacks, but also potentially malicious IPs. Yeah, WAF is definitely essential. I also want to suggest that because many sites are currently using Kubernetes, Docker images, CI to build an application. So it is worth to add a container security too. For example, it could be a Docker Bench or Clare. So I noticed that there's another session that's going to be happening. So if you're interested, maybe it is worth to get to know more. But yes, definitely like the container security too. Okay, great. Okay, I've got one more question, and then we might go to some of the Q&A questions. So what do you see as some key technologies that are coming down the pipeline that would improve security at both the Drupal and infrastructure levels? What's on the horizon? Yeah, I will start. So it's like we already mentioned about the WAF. Which is really good for it's very essential for preventing SQL injection cross-site scripting ETC. And I also want to mention about a set audit too. Give it to me or any other available like Drupal scanner or try. The third thing I want to mention is if possible, maybe maintain a Drupal security logs and audits. For example, Kibana could be used, which is quite helpful. So we can monitor and audit those logs. It will be really helpful for us to monitor those suspicious behaviors. And the third one is like, yes, we already mentioned, it's like yes, container security too. We've got two minutes left. I got two. Oh, no, go ahead. Okay, I was going to say, there's a new Hashicorp service or product there, LaunchCorp is kind of like an enhanced bastion host that can do, talks for the like an OAuth identity provider, but then allows you to like SSH under staff, connect to like a MySQL database and all does that controlled by RBAC and logical groups of resources. So yeah, that's exciting. I think it's coming down the pipeline of clouds. Clouds are getting way, way more smarter and way, well, they've facilitated us with compute. Now they're adding value. And a lot of that value is like in the last year or two, AWS WAF, for example, has shipped managed rules, rule sets, which cover your OWASP top 10. So a lot of that is there. So other lower level technologies around bottle rocket, which is like a lightweight VM. But yeah, I really think that there's a lot of really cool stuff just coming from cloud providers now who are trying to diverse differentiate from the others. All right, we've got 40 seconds. Unfortunately, I didn't get that much time. I've got one quick question. Any tips on how a team can progress towards preemptively addressing security issues rather than being reactive? I think we kind of covered that with PR automatic updates. So yeah, thanks to the panel and it was really useful. Certainly enjoyed it myself. Any final words? Bye. All right, thanks everybody for coming along and I hope we enjoyed it. Thanks for stopping by guys. See you. See you also.