Yes, we did it again! After some weeks of hard work, lots of coffee and allnighters we released a new version of our Drupal distro OpenLucius. These are the most important new features:1. Notifications
In the main menu you'll see a notification center permanently, also on mobile. You'll receive notifications of following actions:
DrupalCon Barcelona 2015... It was a really successful event again.
There have been more than 2030 people attended the Con.
A quick note for core contributors regarding Drupal 8 issue tags related to the upcoming release candidate phase:
- rc deadline issue tag
- Issues that are not critical but can only be committed before the first release candidate is released (e.g., issues that change translatable strings or APIs). If they're not finished by the time the release candidate is ready, they must either be postponed to Drupal 8.1.0 or Drupal 9.
- rc target issue tag
- Rare! Issues that are not critical but can committed during the release candidate phase (for example, documentation changes, certain coding standards improvements, or other issues at committer discretion). Issues with this tag must have committer approval (so check with a committer before adding it).
On Friday, 2nd Oct 2015, we organized the first virtual media sprint. Four sprinters showed up and worked on D8 media issues.First a bit of background
At Examiner.com we get an entire day to spend (along with contributions that we do as part of our regular work) on community contributions every other week. We call it "Drupal day" and we love it! It is our way of saying "Thank you!" to the community. We understand that we wouldn't be as successful as we are without incredible efforts that are invested in Drupal and other free software projects we use.
We are currently working on a very cool D8 project where we heavily use modules from media ecosystem. I might write another post solely about that in the near future. My companies' need for solid media handling solution aligns very nicely with my personal interest in the same field. As a result of that I spend most of my Drupal days on improving media ecosystem and thinking about it. Having a day to focus on things that excite you is great, but what if there would be more people joining?
This is when idea for virtual sprint was born. I published the event on our group and invited everyone to join me.Results
On the actual date three other sprinters joined me:
We previously wrote a tutorial on how to create custom 403 and 404 pages in Drupal.
That tutorial used Drupal's built-in functionality, but that approach does have a few disadvantages.
So today we'll look at another approach, the CustomError module.
Too often we assume that some things are plainly obvious. However, for a brand new user to Drupal, knowing the best practices for Drupal site creation is a must.
This video tutorial will cover the basics of installing a new module in Drupal 7.
Everyone’s excited for Drupal 8 to come out. Now that we’re flirting with 0 critical bugs, we wanted to give a shout out to everyone who has put their hard work and love into building Drupal 8. We’re almost to the finish line, and everyone deserves hugs and high-fives for all their amazing work.
We’re looking forward to the announcement of a Drupal 8 release candidate as soon as October 7, and we’re working hard to put together materials that everyone can use to shout from the rooftops that Drupal 8 is in its final stage of development. We’ve still got a lot of work ahead of us, but the Drupal Association feels that now is a good time for our community to pause, take a deep breath, give each other pats on the back, and look at what the future holds.Our communications plan
We’ve fielded a lot of interest in spreading the word about the Drupal 8 release candidate and the eventual release of Drupal 8. We’ve got a plan that we’re excited about, and we’re hoping for help from the community. The more we can all create content about the specific features in Drupal 8, the better! We’d also love to share content made by our community that speaks to different audiences — for example, why Drupal 8 is the best platform for government or university websites. Over the next few weeks, we hope to add our community’s amazing content to the Drupal 8 landing page.
Here are a few other ways you can help:
- Planning on hosting a release party? Share the details and we'll help spread the word about your event.
- Are you already building sites with Drupal 8? Share a link in social media and tag it #madewithdrupal8. You can also add it to the list on groups.drupal.org.
- If you have demos, white papers, blog posts, or some other materials that talk about the virtues of D8, share it on social media and tag it #drupal8rc.
We couldn’t be more excited for Drupal 8. We’re in the last leg now of huge effort and we should all be tremendously proud of ourselves. Big thanks especially to our amazing Core Maintainers and all of our wonderful contributors who have worked hard on the project.
I've mentored a number of students in 2013, 2014 and 2015 for Debian and Ganglia and most of the companies I've worked with have run internships and graduate programs from time to time. GSoC 2015 has just finished and with all the excitement, many students are already asking what they can do to prepare and be selected for Outreachy or GSoC in 2016.
My own observation is that the more time the organization has to get to know the student, the more confident they can be selecting that student. Furthermore, the more time that the student has spent getting to know the free software community, the more easily they can complete GSoC.
Here I present a list of things that students can do to maximize their chance of selection and career opportunities at the same time. These tips are useful for people applying for GSoC itself and related programs such as GNOME's Outreachy or graduate placements in companies.Disclaimers
There is no guarantee that Google will run the program again in 2016 or any future year until the Google announcement.
There is no guarantee that any organization or mentor (including myself) will be involved until the official list of organizations is published by Google.
Do not follow the advice of web sites that invite you to send pizza or anything else of value to prospective mentors.
Following the steps in this page doesn't guarantee selection. That said, people who do follow these steps are much more likely to be considered and interviewed than somebody who hasn't done any of the things in this list.Understand what free software really is
You may hear terms like free software and open source software used interchangeably.
They don't mean exactly the same thing and many people use the term free software for the wrong things. Not all projects declaring themselves to be "free" or "open source" meet the definition of free software. Those that don't, usually as a result of deficiencies in their licenses, are fundamentally incompatible with the majority of software that does use genuinely free licenses.
Google Summer of Code is about both writing and publishing your code and it is also about community. It is fundamental that you know the basics of licensing and how to choose a free license that empowers the community to collaborate on your code well after GSoC has finished.
Please review the definition of free software early on and come back and review it from time to time. The The GNU Project / Free Software Foundation have excellent resources to help you understand what a free software license is and how it works to maximize community collaboration.Don't look for shortcuts
There is no shortcut to GSoC selection and there is no shortcut to GSoC completion.
The student stipend (USD $5,500 in 2014) is not paid to students unless they complete a minimum amount of valid code. This means that even if a student did find some shortcut to selection, it is unlikely they would be paid without completing meaningful work.
If you are the right candidate for GSoC, you will not need a shortcut anyway. Are you the sort of person who can't leave a coding problem until you really feel it is fixed, even if you keep going all night? Have you ever woken up in the night with a dream about writing code still in your head? Do you become irritated by tedious or repetitive tasks and often think of ways to write code to eliminate such tasks? Does your family get cross with you because you take your laptop to Christmas dinner or some other significant occasion and start coding? If some of these statements summarize the way you think or feel you are probably a natural fit for GSoC.An opportunity money can't buy
The GSoC stipend will not make you rich. It is intended to make sure you have enough money to survive through the summer and focus on your project. Professional developers make this much money in a week in leading business centers like New York, London and Singapore. When you get to that stage in 3-5 years, you will not even be thinking about exactly how much you made during internships.
GSoC gives you an edge over other internships because it involves publicly promoting your work. Many companies still try to hide the potential of their best recruits for fear they will be poached or that they will be able to demand higher salaries. Everything you complete in GSoC is intended to be published and you get full credit for it. Imagine a young musician getting the opportunity to perform on the main stage at a rock festival. This is how the free software community works. It is a meritocracy and there is nobody to hold you back.
Having a portfolio of free software that you have created or collaborated on and a wide network of professional contacts that you develop before, during and after GSoC will continue to pay you back for years to come. While other graduates are being screened through group interviews and testing days run by employers, people with a track record in a free software project often find they go straight to the final interview round.Register your domain name and make a permanent email address
Free software is all about community and collaboration. Register your own domain name as this will become a focal point for your work and for people to get to know you as you become part of the community.
This is sound advice for anybody working in IT, not just programmers. It gives the impression that you are confident and have a long term interest in a technology career.
Choosing the provider: as a minimum, you want a provider that offers DNS management, static web site hosting, email forwarding and XMPP services all linked to your domain. You do not need to choose the provider that is linked to your internet connection at home and that is often not the best choice anyway. The XMPP foundation maintains a list of providers known to support XMPP.
Create an email address within your domain name. The most basic domain hosting providers will let you forward the email address to a webmail or university email account of your choice. Configure your webmail to send replies using your personalized email address in the From header.
Update your ~/.gitconfig file to use your personalized email address in your Git commits.Create a web site and blog
Start writing a blog. Host it using your domain name.
Some people blog every day, other people just blog once every two or three months.
Create links from your web site to your other profiles, such as a Github profile page. This helps reinforce the pages/profiles that are genuinely related to you and avoid confusion with the pages of other developers.
Many mentors are keen to see their students writing a weekly report on a blog during GSoC so starting a blog now gives you a head start. Mentors look at blogs during the selection process to try and gain insight into which topics a student is most suitable for.Create a profile on Github
Github is one of the most widely used software development web sites. Github makes it quick and easy for you to publish your work and collaborate on the work of other people. Create an account today and get in the habbit of forking other projects, improving them, committing your changes and pushing the work back into your Github account.
Github will quickly build a profile of your commits and this allows mentors to see and understand your interests and your strengths.
In your Github profile, add a link to your web site/blog and make sure the email address you are using for Git commits (in the ~/.gitconfig file) is based on your personal domain.Start using PGP
Pretty Good Privacy (PGP) is the industry standard in protecting your identity online. All serious free software projects use PGP to sign tags in Git, to sign official emails and to sign official release files.
The most common way to start using PGP is with the GnuPG (GNU Privacy Guard) utility. It is installed by the package manager on most Linux systems.
When you create your own PGP key, use the email address involving your domain name. This is the most permanent and stable solution.
Print your key fingerprint using the gpg-key2ps command, it is in the signing-party package on most Linux systems. Keep copies of the fingerprint slips with you.
This is what my own PGP fingerprint slip looks like. You can also print the key fingerprint on a business card for a more professional look.
Using PGP, it is recommend that you sign any important messages you send but you do not have to encrypt the messages you send, especially if some of the people you send messages to (like family and friends) do not yet have the PGP software to decrypt them.
Once you have a PGP key, you will need to find other developers to sign it. For people I mentor personally in GSoC, I'm keen to see that you try and find another Debian Developer in your area to sign your key as early as possible.Free software events
Try and find all the free software events in your area in the months between now and the end of the next Google Summer of Code season. Aim to attend at least two of them before GSoC.
Look closely at the schedules and find out about the individual speakers, the companies and the free software projects that are participating. For events that span more than one day, find out about the dinners, pub nights and other social parts of the event.
Try and identify people who will attend the event who have been GSoC mentors or who intend to be. Contact them before the event, if you are keen to work on something in their domain they may be able to make time to discuss it with you in person.
Take your PGP fingerprint slips. Even if you don't participate in a formal key-signing party at the event, you will still find some developers to sign your PGP key individually. You must take a photo ID document (such as your passport) for the other developer to check the name on your fingerprint but you do not give them a copy of the ID document.
Events come in all shapes and sizes. FOSDEM is an example of one of the bigger events in Europe, linux.conf.au is a similarly large event in Australia. There are many, many more local events such as the Debian UK mini-DebConf in Cambridge, November 2015. Many events are either free or free for students but please check carefully if there is a requirement to register before attending.
On your blog, discuss which events you are attending and which sessions interest you. Write a blog during or after the event too, including photos.
Quantcast generously hosted the Ganglia community meeting in San Francisco, October 2013. We had a wild time in their offices with mini-scooters, burgers, beers and the Ganglia book. That's me on the pink mini-scooter and Bernard Li, one of the other Ganglia GSoC 2014 admins is on the right.Install Linux
GSoC is fundamentally about free software. Linux is to free software what a tree is to the forest. Using Linux every day on your personal computer dramatically increases your ability to interact with the free software community and increases the number of potential GSoC projects that you can participate in.
This is not to say that people using Mac OS or Windows are unwelcome. I have worked with some great developers who were not Linux users. Linux gives you an edge though and the best time to gain that edge is now, while you are a student and well before you apply for GSoC.
If you must run Windows for some applications used in your course, it will run just fine in a virtual machine using Virtual Box, a free software solution for desktop virtualization. Use Linux as the primary operating system.
Here are links to download ISO DVD (and CD) images for some of the main Linux distributions:
If you are nervous about getting started with Linux, install it on a spare PC or in a virtual machine before you install it on your main PC or laptop. Linux is much less demanding on the hardware than Windows so you can easily run it on a machine that is 5-10 years old. Having just 4GB of RAM and 20GB of hard disk is usually more than enough for a basic graphical desktop environment although having better hardware makes it faster.
Your experiences installing and running Linux, especially if it requires some special effort to make it work with some of your hardware, make interesting topics for your blog.Decide which technologies you know best
In a GSoC program, you will typically do most of your work in just one of these languages.
From the outset, decide which language you will focus on and do everything you can to improve your competence with that language. For example, if you have already used Java in most of your course, plan on using Java in GSoC and make sure you read Effective Java (2nd Edition) by Joshua Bloch.Decide which themes appeal to you
Find a topic that has long-term appeal for you. Maybe the topic relates to your course or maybe you already know what type of company you would like to work in.
Here is a list of some topics and some of the relevant software projects:
- System administration, servers and networking: consider projects involving monitoring, automation, packaging. Ganglia is a great community to get involved with and you will encounter the Ganglia software in many large companies and academic/research networks. Contributing to a Linux distribution like Debian or Fedora packaging is another great way to get into system administration.
- Desktop and user interface: consider projects involving window managers and desktop tools or adding to the user interface of just about any other software.
- Big data and data science: this can apply to just about any other theme. For example, data science techniques are frequently used now to improve system administration.
- Business and accounting: consider accounting, CRM and ERP software.
- Finance and trading: consider projects like R, market data software like OpenMAMA and connectivity software (Apache Camel)
- Real-time communication (RTC), VoIP, webcam and chat: look at the JSCommunicator or the Jitsi project
Before the GSoC application process begins, you should aim to learn as much as possible about the theme you prefer and also gain practical experience using the software relating to that theme. For example, if you are attracted to the business and accounting theme, install the PostBooks suite and get to know it. Maybe you know somebody who runs a small business: help them to upgrade to PostBooks and use it to prepare some reports.Make something
Make some small project, less than two week's work, to demonstrate your skills. It is important to make something that somebody will use for a practical purpose, this will help you gain experience communicating with other users through Github.
For an example, see the servlet Juliana Louback created for fixing phone numbers in December 2013. It has since been used as part of the Lumicall web site and Juliana was selected for a GSoC 2014 project with Debian.
There is no better way to demonstrate to a prospective mentor that you are ready for GSoC than by completing and publishing some small project like this yourself. If you don't have any immediate project ideas, many developers will also be able to give you tips on small projects like this that you can attempt, just come and ask us on one of the mailing lists.
Ideally, the project will be something that you would use anyway even if you do not end up participating in GSoC. Such projects are the most motivating and rewarding and usually end up becoming an example of your best work. To continue the example of somebody with a preference for business and accounting software, a small project you might create is a plugin or extension for PostBooks.Getting to know prospective mentors
Many web sites provide useful information about the developers who contribute to free software projects. Some of these developers may be willing to be a GSoC mentor.
For example, look through some of the following:
- Planet / Blog aggregation sites: these sites all have links to the blogs of many developers. They are useful sources of information about events and also finding out who works on what.
- Developer profile pages. Many projects publish a page about each developer and the packages, modules or other components he/she is responsible for. Look through these lists for areas of mutual interest.
- Developer github profiles. Github makes it easy to see what projects a developer has contributed to. To see many of my own projects, browse through the history at my own Github profile
Once you have identified projects that are interesting to you and developers who work on those projects, it is important to get yourself on the developer's shortlist.
Basically, the shortlist is a list of all students who the developer believes can complete the project. If I feel that a student is unlikely to complete a project or if I don't have enough information to judge a student's probability of success, that student will not be on my shortlist.
If I don't have any student on my shortlist, then a project will not go ahead at all. If there are multiple students on the shortlist, then I will be looking more closely at each of them to try and work out who is the best match.
One way to get a developer's attention is to look at bug reports they have created. Github makes it easy to see complaints or bug reports they have made about their own projects or other projects they depend on. Another way to do this is to search through their code for strings like FIXME and TODO. Projects with standalone bug trackers like the Debian bug tracker also provide an easy way to search for bug reports that a specific person has created or commented on.
Once you find some relevant bug reports, email the developer. Ask if anybody else is working on those issues. Try and start with an issue that is particularly easy and where the solution is interesting for you. This will help you learn to compile and test the program before you try to fix any more complicated bugs. It may even be something you can work on as part of your academic program.Find successful projects from the previous year
Contact organizations and ask them which GSoC projects were most successful. In many organizations, you can find the past students' project plans and their final reports published on the web. Read through the plans submitted by the students who were chosen. Then read through the final reports by the same students and see how they compare to the original plans.Start building your project proposal now
Don't wait for the application period to begin. Start writing a project proposal now.
When writing a proposal, it is important to include several things:
- Think big: what is the goal at the end of the project? Does your work help the greater good in some way, such as increasing the market share of Linux on the desktop?
- Details: what are specific challenges? What tools will you use?
- Time management: what will you do each week? Are there weeks where you will not work on GSoC due to vacation or other events? These things are permitted but they must be in your plan if you know them in advance. If an accident or death in the family cut a week out of your GSoC project, which work would you skip and would your project still be useful without that? Having two weeks of flexible time in your plan makes it more resilient against interruptions.
- Communication: are you on mailing lists, IRC and XMPP chat? Will you make a weekly report on your blog?
- Users: who will benefit from your work?
- Testing: who will test and validate your work throughout the project? Ideally, this should involve more than just the mentor.
If your project plan is good enough, could you put it on Kickstarter or another crowdfunding site? This is a good test of whether or not a project is going to be supported by a GSoC mentor.Learn about packaging and distributing software
Packaging is a vital part of the free software lifecycle. It is very easy to upload a project to Github but it takes more effort to have it become an official package in systems like Debian, Fedora and Ubuntu.
Packaging and the communities around Linux distributions help you reach out to users of your software and get valuable feedback and new contributors. This boosts the impact of your work.
To start with, you may want to help the maintainer of an existing package. Debian packaging teams are existing communities that work in a team and welcome new contributors. The Debian Mentors initiative is another great starting place. In the Fedora world, the place to start may be in one of the Special Interest Groups (SIGs).Think from the mentor's perspective
After the application deadline, mentors have just 2 or 3 weeks to choose the students. This is actually not a lot of time to be certain if a particular student is capable of completing a project. If the student has a published history of free software activity, the mentor feels a lot more confident about choosing the student.
Some mentors have more than one good student while other mentors receive no applications from capable students. In this situation, it is very common for mentors to send each other details of students who may be suitable. Once again, if a student has a good Github profile and a blog, it is much easier for mentors to try and match that student with another project.Conclusion
Getting into the world of software engineering is much like joining any other profession or even joining a new hobby or sporting activity. If you run, you probably have various types of shoe and a running watch and you may even spend a couple of nights at the track each week. If you enjoy playing a musical instrument, you probably have a collection of sheet music, accessories for your instrument and you may even aspire to build a recording studio in your garage (or you probably know somebody else who already did that).
The things listed on this page will not just help you walk the walk and talk the talk of a software developer, they will put you on a track to being one of the leaders. If you look over the profiles of other software developers on the Internet, you will find they are doing most of the things on this page already. Even if you are not selected for GSoC at all or decide not to apply, working through the steps on this page will help you clarify your own ideas about your career and help you make new friends in the software engineering community.
cTools is one of those critical Drupal 7 modules many others depend on. It provides a lot of APIs and functionality that makes life easier when developing modules. Views and Panels are just two examples of such powerhouses that depend on it.
cTools makes available different kinds of functionality. Object caching, configuration exportability, form wizards, dialogs and plugins are but a few. A lot of the credit you would normally attribute to Views or Panels is actually owed to cTools.
In this article, we are going to take a look at cTools plugins, especially how we can create our very own. After a brief introduction, we will immediately go hands on with a custom module that will use the cTools plugins to make defining Drupal blocks nicer (more in tune to how we define them in Drupal 8).Introduction
cTools plugins in Drupal 7 (conceptually not so dissimilar to the plugin system in Drupal 8) are meant for easily defining reusable bits of functionality. That is to say, for the ability to define isolated business logic that is used in some context. The goal is to set up that context and plugin type once, and allow other modules to then define plugins that can be used in that context automatically.
If you’ve been developing Drupal sites for more than a year you’ve probably encountered cTools plugins in one shape or form. I think the first plugin type we usually deal with is the content_type plugin which allows us to create our own custom panel panes that display dynamic content. And that is awesome. Some of the others you may have encountered in the same realm of Panels are probably context and access (visibility rules). Maybe even relationships and arguments. These are all provided by cTools. Panels adds to this list by introducing layouts and styles that we normally use for creating Panels layouts and individual pane styles. These are I think the more common ones.
However, all of the above are to a certain extent a black box to many. All we know is that we need to define a hook to specify a directory and then provide an include file with some definition and logic code and the rest happens by magic. Going forward, I would like us to look into how a plugin type is defined so that if the case arises, we can create our own plugins to represent some reusable bits of functionality. To demonstrate this, we will create a module that turns the pesky hook system of defining custom Drupal blocks into a plugin based approach similar to what Drupal 8 is using.
Continue reading %Building Custom cTools Plugins in Drupal 7%
Discover our new blog post related to QA testing
and optimizing your website's speed.
Everything can be improved! :)
Have a cup of coffee, take a bath, do some physical exercises... That’s what users wouldn’t like to do while a website is loading. According to statistics, people leave a website that loads longer than 3 seconds.Read more
Building a website is a complicated process. I don’t want to downplay the importance of technical expertise, but for me the most difficult part of a website build is clearly and concisely capturing a client’s requirements. So much hinges on the hours we spend discussing business processes, sketching out UML diagrams and cataloguing every detail. However so often a lot of effort goes in and the resulting documents aren’t as clear as we would have hoped.
the most difficult part of a website build is clearly and concisely capturing a client’s requirements
So how do we improve on this situation? Acceptance criteria. To the uninitiated acceptance criteria are a bit like requirements. They seem to just state a single requirement for a change or fix. The difference is that requirements come in all shapes and sizes, acceptance criteria all look the same. In fact they even have a clearly defined format to help keep to a standard. They look like this:
“Given that… When... Then…”
You should read this as “Given that some precondition is satisfied, when an action or actions take place, then a testable result will occur”. This format lets you turn requirements in to unambiguous, testable, acceptance criteria, which helps developers know exactly what to build, testers know exactly what to test and most importantly helps the actual development go as smoothly as possible.
For example, a typical requirement might be:
we want single sign on between the website and our invoicing system
This could translate in to any number of acceptance criteria so it is important to be unambiguous about what is meant.
Given that I am a user in both the invoicing system and the website, when I visit the website and I am already logged in to the invoicing system, then I am automatically logged in to the website on the first page load
This is much clearer about what is needed. It is still not especially detailed, but it better highlights the additional information which is required, meaning it will be easier to write further acceptance criteria for that as well.
We like to introduce clients to acceptance criteria early on in the requirement gathering stage to let them know what we’re aiming for. It helps guide discussions when you are all internally trying to boil down requirements to these simple little maxims. We still go through all the same processes to uncover the requirements in the first place, the workshops, the diagrams and flowcharts, but then before we start development we review all of that documentation and produce a functional specification including all the acceptance criteria.
This process really ties the requirement gathering phase and development phase together. You can be the best business analyst in the world and have a lot of great techniques for discussing your clients requirements, but unless you can translate them into manageable, testable chunks it’s very tricky to know if you’re delivering what was asked for. That’s why for me this will always be the most important part of a project.
Written by: Rob Humphries, Project Manager
Microserve is a Drupal Agency based in Bristol, UK. We specialise in Drupal Development, Drupal Site Audits and Health Checks, and Drupal Support and Maintenance. Contact us for for further information.
One of our users didn't like the generic "Access denied" message for restricted pages. So we created this tutorial for him.
This tutorial will show you go tot create custom error pages for 403 (Access Denied) and also 404 (Not Found) errors.
Drupalcon Barcelona has finished and we are back at our offices, with the head full of ideas about how to improve our daily work, the conviction that Drupal 8 will be here soon and it will allow us to achieve amazing things in future projects, and the batteries recharged after having such a great time with such great people.
Drupal's recent problem with the Twitter module provides a crucial lesson for all of us: a proactive, vigilant approach to security -- i.e. practices such as continuous monitoring, which we'll explore a little in this post -- are becoming a necessity in an online environment saturated with black hat hackers.The Twitter Module Flaw
In Drupal versions 6.x and 7.x, the Twitter module had some slight security issues, to say the least. It did not check for access in the proper way, which meant that any authenticated Twitter user could sneak into your Twitter account, post a tweet, change your account settings, or even delete your account.
Drupal issued a request to users to update their Twitter module to the latest version to fix the security bug.Continuous Monitoring
The term "continuous monitoring" has become popular. And it means exactly what it sounds like: companies enact policies and procedures that enforce 24/7 close monitoring of their infrastructure. Information-Age.com defines it this way:
The main role of continuous monitoring is to keep your security team constantly aware of newly detected vulnerabilities, weaknesses, missing patches and configuration flaws that appear to be exploitable.
Part of the reason for the urgency is the rise of "zero-day exploits," which are vulnerabilities in software that no one previously knew about and for which a patch does not exist.The Pressure is On: In Competition with Black Hats
As Information Age points out in their article linked above, black hat hackers have developed their own continuous monitoring capabilities. In some cases, they will even patch the vulnerabilities of a website -- without the owner's knowledge -- after they've exploited the weakness.
Because these cyber gangs, groups of black hats who function like well-coordinated attack squadrons, don't want the competition (other black hat cyber gangs) also exploiting your site's weakness. Black hat hackers will claim your site as their turf and actually use continuous monitoring to protect it against other black hats. (After, of course, they've exploited your site for their own purposes.)Drupal Security Team Warns About the Speed of Black Hats
Well-organized black hat cyber gangs are so efficient, and in many cases so well-equipped with their own in-house continuous monitoring technology, that they will detect vulnerabilities before anyone else does -- even before Drupal.
When a weakness in Drupal 7 was detected, this announcement from Drupal demonstrates how fast the Black Hats can exploit a vulnerability:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.Continuous Monitoring Isn't Easy, But It's Becoming a Necessity
The question is simple: do you want black hat hackers or your company's IT/Security team to do your continuous monitoring for you? If black hat hackers rely on continuous monitoring to be successful, then companies and website owners must respond in kind and fight fire with fire.
That doesn't mean it's easy, of course. It requires systemic transformation. As quoted by Information Age, Jan Schreuder of PwC sympathized with the challenges that continuous monitoring creates: "...[it] represents a significant change to the way IT departments operate, and to be successful it requires significant commitment through leadership support, enforcement, and system owner responsibility and accountability."
Thankfully, Drupal responds quickly to security crises, but there's only so much it can do. Each user has a responsibility as well, and continuous monitoring has become an unavoidable necessity for security vigilance.
Contact us for more information on how we can help monitor and protect your Drupal website against security vulnerabilities.
Last week’s DrupalCon was an outstanding event that saw over 2,000 people from the community come together in Barcelona to attend sessions, sprints, and socialise.
We sent 74 of our own team members to the conference (over a third of our group) and we asked them about their experiences to offer a vision of DrupalCon from Wunderkraut’s perspective. Here you will find out what happened, what you should catch up on, and what we recommend to prepare you for next year’s conference in Dublin.Pre-Conference Opening - Sunday 20th September
Before the conference officially opened for registration, members of our team met with other community developers to get sprinting at Makers of Barcelona - a beautiful and quirky co-working space 25 minutes from the conference centre.
With D8 close and everyone keen to hear what the first days of the conference had to offer in the way of Drupal 8 news, everyone was in high spirits to collaborate and code face-to-face at the extended sprints.Registration Day - Monday 21st September
Barcelona International Convention Centre opened its doors for attendees to register. Whilst contributors and coders headed to the Contribution Lounge, leaders of Drupal businesses came together at the Business Summit to share experiences, learn new things, and make acquaintances.
Exhibitors and organisers were also buzzing around the exhibitor hall to prepare their stands and catering areas for the evening’s opening reception, giving all attendees a great opportunity to network and discuss the days ahead.
Watch our roundup of Monday at DrupalCon:
The day opened with Dries’ keynote which gave people a status update on Drupal 8’s release, an overview of the state of the CMS market, and an introduction to new techniques for contributing to Drupal. Overall this was well received and the first deadline of October 7th 2015 was set for D8’s Release Candidate.
Our team then went on to enjoy a variety of tracks and sessions throughout the day. Here’s what Wunderkraut recommends watching from the first day:
Highly recommended by our team
Recommended by our consultants
Design to support strategic objectives (hosted by our own Roy Scholten)
Recommended by our back-end developers
Following a day full of fantastic sessions, the Wunderkraut team headed over to Barcelona’s beaches to have a WunderParty. This gave our international group a great opportunity to socialise and network with one another over good food and a few drinks, which our friends from the conference also attended.
Watch our roundup of Tuesday at DrupalCon
The second day of the conference kicked off with an inspirational keynote by Nathalie Nahai on web psychology. This lead nicely into the second day of sessions, sprints and BoFs. Here is what our attendees recommend:
Recommended by our back-end developers
Recommended by our consultants
No therapist needed: clients, teams and no tears (hosted by our own Alice Richmond)
Recommended by our care team
Recommended by our operations team
Recommended by our front-end team
In the evening a number of our team members headed into the “old town” area of Barcelona to enjoy the local tapas, sangria, and local culture. All of the local people were out and celebrating La Mercè Festival which involved fireworks, parties, and fun.
Watch our roundup of Wednesday at DrupalCon
Thursday was the final day of sessions and by this point a lot of new information, local culture, and sangria had been consumed by conference attendees who stayed since the start. It was hard to find one of our bean bags free at the conference that didn’t have an attendee catching a nap on it!
The final day of sessions, however, was great and they were started by two excellent community keynotes by David Rozas and Mike Bell on mental health in the open source world and the phenomenon of contributing to a community. Both talks were received very well by our team and the community.
Here’s what else Wunderkraut recommends from the day:
Recommended by our back-end developers
Recommended by our consultants
Making Drupal a better out-of-the-box product: Report on usability testing results and how we can make 8.1.x+ shine (joint hosted by our own Lewis Nyman)
All of the conference’s sessions ended with Holly Ross’ Closing Session that provided some cool community and conference stats, in addition to the location of next year’s Drupalcon - Ireland!
To celebrate a successful DrupalCon, most of the attendees headed down to the Trivia Night where they had an opportunity to win some fun prizes, including these sought after goodies:September 24, 2015 Sprinting for Beginners and All - Friday 25th September
Friday was a day for first-time sprinters to meet the mentors and get started with contributing to Drupal. It began with a workshop on downloading the tools required to contribute and lead to people being assigned to different contribution tasks and issues, depending on their different skills.
Later on in the afternoon Angie Byron (webchick) committed a selection of contributions that newcomers made to Drupal 8 whilst they were at the conference and everyone celebrated the new additions together.Extended Sprints - Saturday 26th - Sunday 27th September
The rest of the weekend was spent sprinting by contributors back at the creative co-working space, Makers of Barcelona. Overall, a nice way to finish of the week in beautiful Barcelona.Tips for future DrupalCon Goers
With over 70 odd of our team attending this year’s DrupalCon we’d like to leave a few bits of advice for future participants who may be completely new to the conference to make their experiences as enjoyable as ours.Marc Galang, Software Developer
“Attend the prenote! Also if you're joining the sprints make sure you have a running environment before you leave your country/office because sometimes the internet could be really slow that it takes A LOT of time to download stuff that is needed for the sprints.Bert Boerland, Sales Manager
Sleep as much as you can upfront. You should also add the checkmark of being at the con in your Drupal.org profile.Mikael Kundert, Software Developer
After you start to find sessions that aren’t that useful for you, move on to participate in BoFs and sprints!Bernt Andreas Drange, Software Developer
Remember your business cards and cash for coffee!Jenny Kannelsuo, Service Manager
Plan ahead and check the sessions beforehand.Randal Whitmore, Marketing Assistant
Embrace as much as you can, especially if this is your first experience with the community. Communicating with people in person and getting to understand those behind Drupal is invaluable.
Talking about UX design services becomes a new trend. While not so many people are certain who is a user and what is his or her experience, hundreds would like to contribute into the discussion about proper approaches to it. Let’s take a look on 5 the most widespread UX myths and their disproof.Read more
Some of the most interesting new modules I saw posted to drupal.org in September:Views Advanced Routing
(for Drupal 8) Allows you to specify the routing configuration YAML for a Views page. Meaning, you can use custom access control callbacks, default parameters, etc. Sweet!Commerce Responsive UI
Provides replacement interfaces for the parts of Drupal Commerce that are table dependent and non-mobile responsive by default. These include Responsive Cart, Responsive Checkout, and Responsive User Facing Orders.Drupal 8 Contrib Porting Tracker
Not a module, but a centralized place for tracking the Drupal 8 porting status of contributed projects (modules, themes, distributions). The best place to find out that the Bad Judgement module is ready for D8!Advanced Image Crop
This image field cropper lets the user do a different crop in each of the image styles configured by the admin. You better have some saavy users to comprehend this, but if you do, it looks awesome.Webform Replay [sandbox]
Extends the Webform module by adding an option to “replay” selected webform values in situations where multiple webform submissions per user are allowed, and some of that information is likely to be repeated on each submission. By enabling webform replay for these fields, the user only needs to complete them for the initial webform submission, and on subsequent entries these fields will be pre-populated with the values from the previous submission.Forbidden File Format
Flips the file field extension checking around so that you can allow all types of files except the extensions specified. So you could deny .js, .exe, .bat, and .com, but allow other types.Tableau WDC [sandbox]
Tableau 9.1 includes a new Web Data Connector feature, which lets you build connections to data accessible over HTTP with JSON data and REST APIs. This module attempts to bridge the gap between Drupal and Tableau by adding a new views plugin (tableau_wdc) which renders content as a JSON with some extra meta information needed by Tableau. Once you have created your endpoints, you can add the tableau-wdc block to any page and it will automatically render a button for each data source together with all the necessary scripts to parse and prepare the data for import.Nuke Drupal Frontend
Allows you to completely disable frontend HTML access to a Drupal site, for when you’re building a headless site, and you’re not using the Drupal-provided frontend.Doubtfire [sandbox]
An alternative to the Masquerade module, with some useful UI additions.Gmail Connector [sandbox]
Lets users view their Gmail inbox and messages in Drupal using the Gmail RESTful API.