My Slides from Drupal Camp Asheville 2017

Thanks to all for coming to my talk! Here are my slides. Drupal Security #devsecops #dcavl @drupalasheville
DevSecOps – Slides

I enjoyed being at Drupal Camp, and it was good talking with the many new folks I met (as well as the ones I already know). If you have any questions or comments, feel free to post here or contact me directly.

Update:

Video is Now Available Too!

Speaking at Drupal Camp Asheville

I will be doing a talk on Drupal and Security at this year’s Drupal Camp Asheville. I will cover some security best practices for Drupal developers, how to avoid certain Drupal-specific security gotchas, some lessons learned in keeping Drupal sites secure, and some handy tidbits you can use to prevent the bad people from ruining things.

The times for the various speaker sessions haven’t been announced yet, but stay tuned. I hope to see you all there!

#dcavl

A jQuery 1.x vulnerability exists and no fix is planned

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

https://github.com/jquery/jquery/issues/2432#issuecomment-290983196

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

WordPress Security from WordCamp Asheville 2016

One of the coolest things about WordCamp is that they post videos of each talk and presentation on WordPress.tv for viewing afterwards. It give you the chance to see all the great presentations you may have missed, or to revisit the ones you attended.

With so many WordCamps happening all over the world, it is a great resource.

My presentation from WordCamp Asheville 2016, titled WordPress Security: Don’t Be a Target, is now live on WordPress.tv.

Speaking at WordCamp Asheville – June 3 – 5, 2016

Tickets are on sale for WordCamp Asheville, and I hope many of you will come. This is my first opportunity to attend WordCamp, and I’ll actually be getting to speak at it. Come check it out if you are attending.

My presentation will be about WordPress security, how to make yourself less of a target, and how to harden your WordPress website against hackers using freely available tools.

Come say Hi if you attend!

A Well-Oiled Website Is the Key to Corporate Success

Promoting a business was never an easy task in the past. Since the introduction of modern technology and the internet and the major applications it has for business, promotion is now and even bigger task due to the number of factors a business owner has to consider. For instance, you now need to worry about web hosting, software development, eCommerce, social media and search rankings.

However, most of this can be generalised and referred to as your website. Your website is essentially the first thing that people see when they Google your business or search for you on the internet, so it better be damned good and make a great first impression if you want people to actually visit your website more often to increase exposure.

Creating a great website is easy if you just hire a freelancer or outsource the work. However, that doesn’t mean it will always stay good. Websites have to change and evolve depending on their audience or the business that runs them which is why many large corporations have in-house web design teams and programmers that work in harmony on a website. This enables the website to constantly change depending on new trends, fads or even design tropes that are popular. It goes without saying that a great website is one of the major components of a successful marketing strategy which ultimately leads to corporate success. If you want to create a website that your viewers will love, then here are a couple of tips for you to follow.

Monitoring performance and user interaction

One of the most important things to consider when running a website is how it feels for your users to interact with. You can’t exactly go to someone and ask them about your website, and you can’t really ask your web development team or friends to check your website and give feedback. You need to get responses from people who actually use your website for its intended purpose, and this can be rather difficult.

This is why companies and web developers turn to application performance management tools. This list of APM tools should give you a rough idea of what APM actually is. But in short, it’s a way to monitor applications that are built either on websites or as independent software packages. You can monitor things such as CPU usage and code performance, meaning your developers can optimise your web services using data collected with an APM tool. It can even track things such as users who are currently using the service and how they are using your web services.

By monitor users and how they utilise your website, you can collect statistics that can be used to improve your business website and propel it into the public spotlight. Although good web design comes from a lot of experience and studying, the only way to stay at the forefront of fantastic web design is to analyse patterns generated with monitoring tools.

Constant updates to increase retention

To keep your users coming back, you need to give them a reason. If they check your online web store and don’t find anything useful, then you need to at least give them a reason to come back in the future. Perhaps you update your store and you get some new items in that you want to show off, or maybe you’re open to suggestions from your potential customers. Whatever changes on your website, it’s a good idea to let people know via mailing lists or even social media. You could even have a suggestions box or a way for visitors to contact you regarding new and future products or content that they want to see.

The idea here is to constantly update your website so that people have a reason to return. By retaining customer attention, they’re more likely to suggest your website or services to other people. Your website might just be a simple front page to your business that shows contact information and services. In this situation, there’s not much you can do to keep people coming back. This is why a lot of company websites have blogs attached to them. These blogs usually contain information about inner workings of the company, the latest industry technologies, or they’re short posts about up and coming products that are written to excite people. These posts are then posted on social media and they’re shared among thousands of people, drawing attention to the website and ultimately attracting more and more exposure.

Keeping your website constantly updated can be difficult if you don’t have much content to write about, but it’s one of the key ways to ensure that you are always ahead of the curve in online marketing.