Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.

This is a short series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!

Understanding Drupal Security Advisories: Vulnerability type

by David Snopek on October 5, 2015 - 9:09am

Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.

This is the second in a series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!

There are several different types of security vulnerabilities, each with a cryptic (and highly technical) name like Cross Site Scripting (XSS) or SQL Injection.

There's plenty of technical articles on the internet explaining what those mean from a coder perspective, including how to prevent them (by writing better code) or even how to exploit them.

But what do they mean for you, the site builder or site owner?

The most important question for you is: If an attacker exploits your site with a particular vulnerability, what will they be able to do to your site or users?

Of course, you should take action on any security advisory that affects your site as soon as possible (or hire someone else to do it). But what could happen if you didn't?

Some vulnerabilities would allow an attacker to completely take control over your site, whereas others would only allow them to access some non-public data. How can you tell which are which?

Read more to learn how the different vulnerability types could impact your site or users!

Understanding Drupal Security Advisories: The Risk Calculator

by David Snopek on September 15, 2015 - 9:06am

Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.

This is the first in a series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!

Not all security vulnerabilities are equal!

Some are highly critical and require immediate action (like SA-CORE-2014-005, aka Drupalgeddon, was) or your site could be irrepairably damaged and you'll have to restore from backups.

And while you should take action on any security advisory that affects your site as soon as possible (or hire someone else to do it), some security vulnerabilities present less risk, so you might choose to delay updating and focus on more important things in your business or personal life.

But how do you make that decision?

All security advisories come with a "Security risk" that is generated by the Risk Calculator, which is where the labels like "Less Critical" or "Highly critical" come from.

However, those labels aren't very instructive because they don't really tell you what you're at risk of. 

Each security advisory also includes the full set of values provided to the Risk Calculator - which contain a wealth of information about the vulnerability - you just need to know how to decode and understand it.

That's what this article is about!

Read more to learn how to understand the Risk Calculator used in Drupal Security Advisories!