Drupal Security Team

Don't miss out! Regular registration for Drupalcon Chicago ends on February 23 (2 days) and then prices will go up. There are some great sessions at Drupalcon that will help people to manage the security of their sites: Engineering for security compliance: How to prepare before the audit AI Crawlers Are Crushing Your Website: Here's What You Can Do About It The Bug Stops Here: The State of Georgia Shifts Left Deploy with Confidence: Automated Testing for Drupal Security Team Panel And, of course, there's all the opportunity for networking and conversations. We hope to see you at any Drupal event (camp, conference, etc.) and Chicago is a great opportunity to learn more about security in Drupal.

Happy 25th anniversary of Drupal's release! A few years later on August 1, 2005, the Security Team was created (see the timeline below for more details). We celebrate everyone involved along the way and welcome new folks to support the goal of a secure Drupal.

Today is Thanksgiving in the US. While not everyone celebrates it, I want to take a moment to express my gratitude to the Drupal Security Team, a group whose work often goes unrecognized. As Drupal's project lead, the fact that I'm rarely needed in their operations is the highest compliment I can offer. Their consistent effort has protected millions of websites. For more on why their work sets a standard for open source, read my full post at https://lnkd.in/eTUXfkp9. #drupal #security #thankyou #drupalthanks

Last week we posted about Software Bill of Materials (SBOMs) and Drupal. What's your progress on generating SBOMs?

How can a Software Bill of Materials (SBOM) help improve transparency, confidence, and security of your Drupal site? Read more in this post from CivicActions https://lnkd.in/gNuBWD5E How do you create an SBOM for Drupal? There are a few ways, but you could start with a Drupal-specific SBOM module described in this article from Open SSF https://lnkd.in/dyCUMv63 Are you creating SBOMs for your projects? What tools are you using? Do you find SBOMs helpful, or is it part of compliance and "checking the box" ? What can the Drupal code or community do to better support and leverage SBOMs?

What is a Cross Site Request Forgery and how do you protect against it in a Drupal site? A documentation page at https://lnkd.in/gykzyM65 answers those questions. It was recently updated to be more comprehensive for features in modern Drupal. Thanks to Benji Fisher for improving the page.

Thanks for feedback on our last post. Today, like most Wednesdays, is a security release window and there were 6 advisories published today. 3 were cross site scripting, 1 a cross site request forgery, and 2 were unsupported due to reported vulnerabilities that were unfixed for too long. We often get questions after un-supporting a project. The most common question is if the risk score is accurate: it's not - see https://lnkd.in/gyqtKe4j for more details on that. The second is if we will share the nature of the vulnerability: we won't...for a while - see https://lnkd.in/gKhF6Xpg for how to take over maintenance. Titles of the advisories are below and details are available at https://lnkd.in/ggfbJ3su Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041 Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042 Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043 UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044 Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045 Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

Hello to the community of people interested in Drupal Security on Linkedin. This is a new page and we'd love your help: 1. How can we best use this page? Leave a comment letting us know what you'd like to see. 2. Since we're new, the follower list is small. We'd appreciate your help sharing the page or posts with people who might be interested in our news. What do we *think* people will want to see? It won't just be a stream of the security advisories. We might post a single weekly summary of the new releases that week. We also will likely share longer form content like advice from our documentation, addressing common misconceptions, analysis of industry trends (e.g. software bill of materials). BUT please, let us know what YOU'D like to see from this page.

Hello to the community of people interested in Drupal Security on Linkedin. This is a new page and we'd love your help: 1. How can we best use this page? Leave a comment letting us know what you'd like to see. 2. Since we're new, the follower list is small. We'd appreciate your help sharing the page or posts with people who might be interested in our news. What do we *think* people will want to see? It won't just be a stream of the security advisories. We might post a single weekly summary of the new releases that week. We also will likely share longer form content like advice from our documentation, addressing common misconceptions, analysis of industry trends (e.g. software bill of materials). BUT please, let us know what YOU'D like to see from this page.