Certify Drupal for use in Government (US) Projects
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns. Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution. The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter. I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint? If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further. Thanks Jon
Jon, Thanks for your interest in this. I'm interested in this as well. Some of their concerns seem to be over some misconceptions that might help to be cleared up. Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3. The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on. I would be very curious as to what it would take to certification as well as their concerns. Matt Quoting Jon Saints <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
I agree with your assessment of the misconceptions: If you search their database you will see that most of vulnerabilities they are pointing to are for contributed modules. That said, this is the explanation we received. There seems to be no room to argue in this case due to deadlines for the project. The Database: http://nvd.nist.gov/ For future projects we could definitely argue to have these misconceptions clarified in the governments eyes. Thanks Jon On Tue, Sep 30, 2008 at 9:24 AM, <matt@mattfarina.com> wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com>:
On a recent project for the US government, half way through the
development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
Wow, I would like everybody to notice something right here. In the message I reply to, Matt Farina said: "The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." /end of citation/ I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary? I'm very concern about that and invite everybody to collaborate on this one. Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported? Thanks in advance, Alex matt@mattfarina.com wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd@gmail.com> wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." /end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
It's a GPL license, that's why I am sure the security team is open to anyone who is interested in helping out on that very important front. But GPL doesn't mean that we have to be stupid as a community, and advertise exploits before a fix can be made and people given a chance to have a security fix to use. Just as the corporate world, as we are finding out all over the world these days, certainly has no "monopoly over intelligence", or over doing what's best for all, open source communities can be smart too. There's nothing proprietary about that. Quite the opposite, in fact: defending ourselves against conspiracies to wreak havoc certainly has to be the right of open source communities, Victor Kane http://awebfactory.com.ar
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
Thanks in advance, Alex
matt@mattfarina.com wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
Don't get me wrong. Nobody talking here about stupidity. All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered. And deal with them on temporary basis on they own sites until final solution will be published. I'm not talking about detail explanation of what and how reported security issue can harm Drupal site. But may be some clue in order to deal with it. Or may be we need some special procedure to subscribe to such information. But I'm sure that many of us would like to know what is going on with fresh security discoveries. Victor Kane wrote:
On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd@gmail.com> wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." /end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
It's a GPL license, that's why I am sure the security team is open to anyone who is interested in helping out on that very important front.
But GPL doesn't mean that we have to be stupid as a community, and advertise exploits before a fix can be made and people given a chance to have a security fix to use.
Just as the corporate world, as we are finding out all over the world these days, certainly has no "monopoly over intelligence", or over doing what's best for all, open source communities can be smart too.
There's nothing proprietary about that. Quite the opposite, in fact: defending ourselves against conspiracies to wreak havoc certainly has to be the right of open source communities,
Victor Kane http://awebfactory.com.ar
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
Thanks in advance, Alex
matt@mattfarina.com wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
I'm not talking about detail explanation of what and how reported security issue can harm Drupal site. But may be some clue in order to deal with it.
Our public SAs don't give details of how to exploit vulnerabilities, while of course the commit logs are there (but it's not always obvious from them either) - this is by design so that we're not simply giving out instructions to people on how to hack sites which don't upgrade in a timely fashion (of which there are many). However, to fix an issue, you need to know how to exploit it, so I'm not really sure what you're asking for here. If a contributed module is extremly insecure and there's not an immediate fix for it, we unpublish the module until an SA can be released for it (and you'll be informed that the module has been 'revoked' by update status).
Or may be we need some special procedure to subscribe to such information.
You can get SAs as soon as they're published via e-mail or RSS from http://drupal.org/security.
But I'm sure that many of us would like to know what is going on with fresh security discoveries.
Those who want to help fix new discoveries can offer to join the security team, I don't think 'would like to know what's going on' is sufficient though. Nat
Victor Kane wrote:
On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd@gmail.com> <lapurd@gmail.com> wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." /end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
It's a GPL license, that's why I am sure the security team is open to anyone who is interested in helping out on that very important front.
But GPL doesn't mean that we have to be stupid as a community, and advertise exploits before a fix can be made and people given a chance to have a security fix to use.
Just as the corporate world, as we are finding out all over the world these days, certainly has no "monopoly over intelligence", or over doing what's best for all, open source communities can be smart too.
There's nothing proprietary about that. Quite the opposite, in fact: defending ourselves against conspiracies to wreak havoc certainly has to be the right of open source communities,
Victor Kanehttp://awebfactory.com.ar
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
Thanks in advance, Alex
matt@mattfarina.com wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com> <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens:http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are:http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues. Thanks in advance, Alex Nathaniel Catchpole wrote:
I'm not talking about detail explanation of what and how reported security issue can harm Drupal site. But may be some clue in order to deal with it.
Our public SAs don't give details of how to exploit vulnerabilities, while of course the commit logs are there (but it's not always obvious from them either) - this is by design so that we're not simply giving out instructions to people on how to hack sites which don't upgrade in a timely fashion (of which there are many). However, to fix an issue, you need to know how to exploit it, so I'm not really sure what you're asking for here.
If a contributed module is extremly insecure and there's not an immediate fix for it, we unpublish the module until an SA can be released for it (and you'll be informed that the module has been 'revoked' by update status).
Or may be we need some special procedure to subscribe to such information.
You can get SAs as soon as they're published via e-mail or RSS from http://drupal.org/security.
But I'm sure that many of us would like to know what is going on with fresh security discoveries.
Those who want to help fix new discoveries can offer to join the security team, I don't think 'would like to know what's going on' is sufficient though.
Nat
Victor Kane wrote:
On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd@gmail.com> <lapurd@gmail.com> wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." /end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
It's a GPL license, that's why I am sure the security team is open to anyone who is interested in helping out on that very important front.
But GPL doesn't mean that we have to be stupid as a community, and advertise exploits before a fix can be made and people given a chance to have a security fix to use.
Just as the corporate world, as we are finding out all over the world these days, certainly has no "monopoly over intelligence", or over doing what's best for all, open source communities can be smart too.
There's nothing proprietary about that. Quite the opposite, in fact: defending ourselves against conspiracies to wreak havoc certainly has to be the right of open source communities,
Victor Kanehttp://awebfactory.com.ar
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
Thanks in advance, Alex
matt@mattfarina.com wrote:
Jon,
Thanks for your interest in this. I'm interested in this as well.
Some of their concerns seem to be over some misconceptions that might help to be cleared up.
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.
I would be very curious as to what it would take to certification as well as their concerns.
Matt
Quoting Jon Saints <saintsjd@gmail.com> <saintsjd@gmail.com>:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens:http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are:http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drupal Developer schrieb:
Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues.
Based on your comments I'll veto you joining the team. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI40oRfg6TFvELooQRAnI8AJ0Znjj7GuEqtjwVQmFUXp1c4PLqRACeM202 jt0q7PeW1EdnQgz3qdBIV3s= =m+Mo -----END PGP SIGNATURE-----
In my view it is just demonstration of corporate nature of your thinking. BTW, if somebody in the open community got power to veto somebody out from doing something good, then how do you think it is reflecting on image of this community as "open" one? It is not the way to operate in the open community of developers. If I have some different opinion on something like how vulnerabilities have to be reported to community before they got fixed, it does not mean that I can not help security team to fix it. Gerhard Killesreiter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Drupal Developer schrieb:
Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues.
Based on your comments I'll veto you joining the team.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI40oRfg6TFvELooQRAnI8AJ0Znjj7GuEqtjwVQmFUXp1c4PLqRACeM202 jt0q7PeW1EdnQgz3qdBIV3s= =m+Mo -----END PGP SIGNATURE-----
On Wed, Oct 1, 2008 at 12:12 PM, Drupal Developer <lapurd@gmail.com> wrote:
In my view it is just demonstration of corporate nature of your thinking. BTW, if somebody in the open community got power to veto somebody out from doing something good, then how do you think it is reflecting on image of this community as "open" one? It is not the way to operate in the open community of developers. If I have some different opinion on something like how vulnerabilities have to be reported to community before they got fixed, it does not mean that I can not help security team to fix it.
"Corporate nature" of Gerhard? You are so funny. First, let me point out that "Drupal Developer" is not that good a name for sending emails to a community mailing list (that, or your mother was really angry when she named you). You are not applying to yourself the transparency principles that you are promoting. Then, our community (and most other opensource communities) values action and contribution against anything else. That's why Gerhard speak has a lot of value here. Damien Tournoud
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drupal Developer schrieb:
In my view it is just demonstration of corporate nature of your thinking.
The nature of my thinking is of no concern to you.
BTW, if somebody in the open community got power to veto somebody
"veto" was not correctly chosen, "vote against" would be more correct.
out from doing something good,
What good would you want to do? To me it seems your main interest would be to get to know potential security issues before others.
then how do you think it is reflecting on image of this community as "open" one? It is not the
I've personally never been a proponent of "everything must be open at all cost".
way to operate in the open community of developers. If I have some
I am not sure, but I guess every other OS security team operates in the same way.
different opinion on something like how vulnerabilities have to be reported to community before they got fixed, it does not mean that I can not help security team to fix it.
If you are actually qualified to work on the security team and your motives are others than what I think they are, you are welcome to apply at security@drupal.org. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI41dqfg6TFvELooQRAuV7AJ4uJX+0tSzEp19JJKC/sG4Lf4ow0wCeM11v QBRakG9MYkxUveU4Bpbo52s= =DMQh -----END PGP SIGNATURE-----
On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:
Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues.
Nat's email already told you this: On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:
Those who want to help fix new discoveries can offer to join the security team, I don't think 'would like to know what's going on' is sufficient though.
As a member of the (overworked and understaffed) security team, I can tell you right now that we'd reject your application on these grounds. And not because we're demonstrating a "corporate" thinking process. We're trying to protect the very openness of the developer community you're trying to be so concerned with. If you said "I'm really interested in security and want to help fix vulnerabilities, here are my skills I'm bringing to the table, references that prove [sic] I'm not malicious, etc", we'd strongly consider it. But, based on the motivation you've already put forward in this thread -- "I wanna be the first to know so I can try to protect my sites" -- is not going to fly. On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered.
And deal with them on temporary basis on they own sites until final solution will be published. I'm not talking about detail explanation of what and how reported security issue can harm Drupal site. But may be some clue in order to deal with it.
Again, the only way to give a "clue in order to deal with it" is to "give a clue how to exploit it". I'm sure the hackers reading that information will be much better suited to act on these clues than the average site admins who aren't well versed in security exploits.
Or may be we need some special procedure to subscribe to such information.
Any "special procedure to subscribe to such information" that scales to a group of people larger than the security team can't possibly keep the "bad" people out and only let in "good" people. It's already a risk we take letting new forces join the security team itself. No way could we have any reasonable hope of keeping the "initial clue about possible vulnerabilities" list secure. Malicious users *will* read that information, and use it to harm Drupal sites.
But I'm sure that many of us would like to know what is going on with fresh security discoveries.
Indeed, especially hackers. ;) Drupal follows a long established policy of "Responsible disclosure"[1] of discovered vulnerabilities. Nothing about this contradicts the GPL or the openness of the Drupal community in general. In fact, if we did what you suggest, I'm sure far fewer people would be using Drupal (rightfully so). Cheers, -Derek (dww) [1] http://www.sans.org/reading_room/whitepapers/threats/932.php
It is just sad that the only thing you see in my notes is intention to get this kind of information at soon as possible. But you are denning to see that I also can help you. Do not you think that it is the one of the natural reason to join any kind of security team, and second reason to fix those problem? Derek Wright wrote:
On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:
Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues.
Nat's email already told you this:
On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:
Those who want to help fix new discoveries can offer to join the security team, I don't think 'would like to know what's going on' is sufficient though.
As a member of the (overworked and understaffed) security team, I can tell you right now that we'd reject your application on these grounds. And not because we're demonstrating a "corporate" thinking process. We're trying to protect the very openness of the developer community you're trying to be so concerned with. If you said "I'm really interested in security and want to help fix vulnerabilities, here are my skills I'm bringing to the table, references that prove [sic] I'm not malicious, etc", we'd strongly consider it. But, based on the motivation you've already put forward in this thread -- "I wanna be the first to know so I can try to protect my sites" -- is not going to fly.
On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered.
And deal with them on temporary basis on they own sites until final solution will be published. I'm not talking about detail explanation of what and how reported security issue can harm Drupal site. But may be some clue in order to deal with it.
Again, the only way to give a "clue in order to deal with it" is to "give a clue how to exploit it". I'm sure the hackers reading that information will be much better suited to act on these clues than the average site admins who aren't well versed in security exploits.
Or may be we need some special procedure to subscribe to such information.
Any "special procedure to subscribe to such information" that scales to a group of people larger than the security team can't possibly keep the "bad" people out and only let in "good" people. It's already a risk we take letting new forces join the security team itself. No way could we have any reasonable hope of keeping the "initial clue about possible vulnerabilities" list secure. Malicious users *will* read that information, and use it to harm Drupal sites.
But I'm sure that many of us would like to know what is going on with fresh security discoveries.
Indeed, especially hackers. ;) Drupal follows a long established policy of "Responsible disclosure"[1] of discovered vulnerabilities. Nothing about this contradicts the GPL or the openness of the Drupal community in general. In fact, if we did what you suggest, I'm sure far fewer people would be using Drupal (rightfully so).
Cheers, -Derek (dww)
[1] http://www.sans.org/reading_room/whitepapers/threats/932.php
On Oct 1, 2008, at 3:37 AM, Web Developer wrote:
It is just sad that the only thing you see in my notes is intention to get this kind of information at soon as possible.
It is just sad that you're not paying attention to what we're saying. Another reason you probably wouldn't be a good fit for the security team. ;) I explicitly wrote:
If you said "I'm really interested in security and want to help fix vulnerabilities, here are my skills I'm bringing to the table, references that prove [sic] I'm not malicious, etc", we'd strongly consider it.
You *never* said *anything* like that in this entire thread. All you've said can be summarized with these 3 quotes: 1) "I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?" 2) "All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered. And deal with them on temporary basis on they own sites until final solution will be published." 3) "Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues." Many of us have tried to point out the weaknesses in the logic of #1 and #2, and tried to explain why #3 is not a sufficient reason to join the security team. You've just kept coming back saying that the security team is closed (true), corporate (false), and that no one is reading between the lines of your messages that what you *really* mean is "I'd love to help fix vulnerabilities because I'm a security expert and I have an established track record of closing exploits through careful audits, thorough testing, and responsible disclosure." Please. I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure". It's ok to be outvoted, just be honest and graceful about it and no one will think poorly of you... -Derek (dww)
On 01/10/2008, at 13.00, Derek Wright wrote:
I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure".
I'd just like to say that Derek is completely and absolutely right here. Responsible disclosure is the only way we can reasonably handle security vulnerabilities, and were it not for that policy, I would not be using Drupal for anything remotely important, because the chance of some guy being quicker than me and hitting me with a zero-day exploit would be unreasonably high. So while you might disagree, I think the great majority of Drupal developers are quite happy about this policy, and I don't think it'll change in the near future. -- Kind regards, Mikkel Høgh <mikkel@hoegh.org>
If more of Drupal community members will know about newest vulnerabilities, then faster these vulnerabilities will be resolved. As I have mention in my previous message - it is not necessary to expose exploit info. Some might say that hacker will then make more damage. Well let me inform you - hacker can exploit problems on your server on they own even without any problem description. You can be your own "hacker" by simply evaluating your web applications and web sites with many vulnerabilities assessment and testing tools available on a market (many of them is open source). The only issue here that I see is security team is not trust to Drupal community own members. May be some solution is possible here like a member certification program. Which can be considered as transitional from "non-trusted" (simple Drupal user) to trusted developer who can help in his spare time without be under pressure of security team bosses. Alex Mikkel Høgh wrote:
On 01/10/2008, at 13.00, Derek Wright wrote:
I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure".
I'd just like to say that Derek is completely and absolutely right here. Responsible disclosure is the only way we can reasonably handle security vulnerabilities, and were it not for that policy, I would not be using Drupal for anything remotely important, because the chance of some guy being quicker than me and hitting me with a zero-day exploit would be unreasonably high.
So while you might disagree, I think the great majority of Drupal developers are quite happy about this policy, and I don't think it'll change in the near future.
-- Kind regards,
Mikkel Høgh <mikkel@hoegh.org>
On Wed, Oct 1, 2008 at 2:49 PM, Web Developer wrote:
trusted developer who can help in his spare time
This describes al members of the security team
under pressure of security team bosses.
This doesn't describe any members of the security team.
Nat
If you think that oldest BugTraq "full disclosure" listing has a weak logic behind, then you are mistaken (http://www.securityfocus.com). BugTraq as well expose vulnerabilities that does not have solutions yet. All what I have tried to explain that it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out. For me as for open source developer it is kind of natural to associate limited disclosure or after solution disclosure with corporations like a Microsoft and such but not with open source community. Another good reason well explained on <http://en.wikipedia.org/wiki/Vulnerability_(computer_science)>: "Analysis and risk rating ensure the quality of the disclosed information. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his assets." Which is, btw, is very well mentioned in NIST Special Publication 800-51 "Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" <http://csrc.nist.gov/publications/nistpubs/800-51/sp800-51.pdf>. If Drupal security team made a decision to follow another path, its okay. But you should not judge another people in this matter so quick. Anyway, I have tried to be polite but since I have receive such a suspicious in bad intentions and arrogant perception here (at least that is what I feel now), I think I will standout for now in my true intentions to help and let you enjoy status of "overworked and understaffed" security team. Alex Derek Wright wrote:
On Oct 1, 2008, at 3:37 AM, Web Developer wrote:
It is just sad that the only thing you see in my notes is intention to get this kind of information at soon as possible.
It is just sad that you're not paying attention to what we're saying. Another reason you probably wouldn't be a good fit for the security team. ;)
I explicitly wrote:
If you said "I'm really interested in security and want to help fix vulnerabilities, here are my skills I'm bringing to the table, references that prove [sic] I'm not malicious, etc", we'd strongly consider it.
You *never* said *anything* like that in this entire thread. All you've said can be summarized with these 3 quotes:
1) "I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?"
2) "All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered. And deal with them on temporary basis on they own sites until final solution will be published."
3) "Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues."
Many of us have tried to point out the weaknesses in the logic of #1 and #2, and tried to explain why #3 is not a sufficient reason to join the security team. You've just kept coming back saying that the security team is closed (true), corporate (false), and that no one is reading between the lines of your messages that what you *really* mean is "I'd love to help fix vulnerabilities because I'm a security expert and I have an established track record of closing exploits through careful audits, thorough testing, and responsible disclosure." Please.
I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure". It's ok to be outvoted, just be honest and graceful about it and no one will think poorly of you...
-Derek (dww)
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out. I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for. Patrick Teglia On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
Is it everybody here so quick to see another person logic flaw, where in fact you just have to think a little further? I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious. Alex Patrick Teglia wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for.
Patrick Teglia
On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
I think that the process currently in place has proven itself over time to be reliable and accountable to the community. There are very few restrictions in place that would prevent a member of the Drupal community from joining the security team, but I am glad that there is a vetting process that ensures that the skills and motivation of the security team members is in-line with the goals of that team and the community-at-large. The security review and resolution process at drupal is one of the things that has allowed my company to use drupal as a part of systems that handle ePHI (electronic protected health information) which have been successfully audited as HIPAA (Health Insurance Portability and Accountability Act) compliant. --Eric On Wed, October 1, 2008 10:08 am, Web Developer wrote:
Is it everybody here so quick to see another person logic flaw, where in fact you just have to think a little further?
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Alex
Patrick Teglia wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out. I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for. Patrick Teglia On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
Back to topic:
The security review and resolution process at drupal is one of the things that has allowed my company to use drupal as a part of systems that handle ePHI (electronic protected health information) which have been successfully audited as HIPAA (Health Insurance Portability and Accountability Act) compliant.
--Eric
This sounds like a handbook page about certifications, policies, and auditions of Drupal is in order? Maybe we can add consultants/agencies/shops who managed to achieve or approve them for each entry as a reference. That list might also contain revoked attempts, and would fit best in the "About Drupal" handbook, of course. Cross-posting this to consulting list. Daniel
On Wed, October 1, 2008 11:37 am, Daniel F. Kudwien wrote:
Back to topic:
The security review and resolution process at drupal is one of the things that has allowed my company to use drupal as a part of systems that handle ePHI (electronic protected health information) which have been successfully audited as HIPAA (Health Insurance Portability and Accountability Act) compliant. --Eric
This sounds like a handbook page about certifications, policies, and auditions of Drupal is in order? Maybe we can add consultants/agencies/shops who managed to achieve or approve them for each entry as a reference. That list might also contain revoked attempts, and would fit best in the "About Drupal" handbook, of course.
Cross-posting this to consulting list.
Daniel
I'd like to make sure that this discussion happens in one place so it can be easier to follow. In the future, it would be nice to be asked before a part of my email is send with no context to another list. here is what I posted to the consulting list: I would be glad to participate a discussion about your idea, but let me start by saying that I'm not comfortable with one paragraph of an email from me that was part of a lengthy discussion about durpal security issues crossposted without any additional context. For those not on the development list, you can read the thread at http://lists.drupal.org/pipermail/development/2008-October/031097.html to put my statement in full context of the larger discussion. --Eric
On Wed, Oct 1, 2008 at 4:08 PM, Web Developer <lapurd@gmail.com> wrote:
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Our security process can be thought as complying with "responsible disclosure", as described for example in the RFPolicy [1]. Close cooperation between security researchers and vendors (ie. us, the Drupal community) in private before the security vulnerability has been disclosed has largely proven to be the good way to deal with this kind of issues. Our community is open. Discussing issues "inside" the community means nothing more than discussing those publicly. Damien Tournoud [1] http://www.wiretrip.net/rfp/policy.html
If you really feel this is the better way to go I'd suggest a change of strategy. The current process is not only popular but works well and is useful. If there is going to be a change from it to something else there needs to be a an obvious benefit that works with the cost/time/resources needed to do such a thing. Put together a proposed change from the current setup, preform a cost benefit analysis on that, and then try to sell the people who can affect a change on this in the drupal community. In trying to sell them show them the personal benefit to them and the community over the current process. (You aren't doing this now and seem to be alienating the very people you need to sell this to.) If you don't think you can sell them or this seems like too much work I'd suggest saving face and backing down on this issue. Otherwise a bunch of us have to read emails (or spend time deleting them) in what is turning into an unproductive conversation. Quoting Web Developer <lapurd@gmail.com>:
Is it everybody here so quick to see another person logic flaw, where in fact you just have to think a little further?
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Alex
Patrick Teglia wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for.
Patrick Teglia
On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
All what I have tried to explain that it does not mean that exploit information has to be exposed.
This is what actually happens already: Security team receives a security report, does deep analysis of the potential problem, and if the report turns out to be valid, the security team aids the corresponding module maintainer to fix the vulnerability. The exploit information is made public when a fix for all users is available.
"Analysis and risk rating ensure the quality of the disclosed information. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his assets."
This, too, is what happens: All subscribers of the security announcements newsletter receive a mail for each and every fixed vulnerability throughout Drupal core AND contributed modules.
If Drupal security team made a decision to follow another path, its okay. But you should not judge another people in this matter so quick. Anyway, I have tried to be polite but since I have receive such a suspicious in bad intentions and arrogant perception here (at least that is what I feel now), I think I will standout for now in my true intentions to help and let you enjoy status of "overworked and understaffed" security team.
Alex
Look, I do not belong to the security team either (albeit I considered to join for helping out already). However, I /feel/ very safe knowing that we have top-notch contributors in this team, doing an excellent job on reviewing and solving all security issues. To be honest, I would not like to see an arbitrary "Web Developer" (ex. "Drupal Developer") there either. As a regular Drupal contributor and user, I know the contributions of /each/ security team member, which makes me believe that they are experts in all Drupal areas - and friends I can trust. I would recommend you to contribute more to Drupal, get some kudos for your valuable contributions, and then ask again. Thanks, Daniel
http://drupal.org/security-team#report-issue It's on the top of every "Submit Issue" page on drupal.org. Any code that is in an official release of Drupal is 100% open. Nothing in the GPL prevents the bug fixes *prior* to release from being performed in a non-public manner. -Mike On Oct 1, 2008, at 12:40 AM, Drupal Developer wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." / end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
__________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net
Drupal Developer wrote:
Wow, I would like everybody to notice something right here. Please stop feeding the troll. Those of us who pay attention all understand and agree with the existing security infrastructure and appreciate the hardwork and thankless job that is managing exploits in a timely fashion. There isn't a debate to be found here, only a waste of time. -- Michael Favia
On Tue, Sep 30, 2008 at 11:14 AM, Jon Saints <saintsjd@gmail.com> wrote:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Hello Jon Apart from the "100+ since 4.0" mentioned below, what else did they criticize? If there is a report that they issued, you can share it with the security team for a review. Email it to security@drupal.org.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
-- Khalid M. Baheyeldin 2bits.com, Inc. http://2bits.com Drupal optimization, development, customization and consulting.
Jon, I've used Open Source and on government projects before, primarily on the defense side -- I'm not sure if this was a civilian or defense project. I know that in my previous company, we even needed our commercial software certified, and it was a pretty lengthy process to get it completed based on the updates I heard of the course of several months. Unfortunately, I was only peripherally involved so I don't have many details of the process. I do know from some folks I've talked to quite recently that multiple agencies in the Defense Department are using Drupal -- though primarily for non-classified work. There is an arduous process to get your software cleared for deployment on the classified networks and it typically involves not only the software itself, but lots of bureaucratic questions about how it's created. Chuck Chuck D'Antonio Sr. Director Professional Services Acquia, Inc. Mobile +1.617.388.1120 On Sep 30, 2008, at 11:14 AM, Jon Saints wrote:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts? [...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification. For collecting more sensitive information, certification becomes nearly impossible. Thanks Jon On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter < gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
Which government security review/standard? There are dozens if not hundreds of competing standards/programs and levels of auditing and determination depending on which department you are dealing with. For example just one program was formerly known as DITSCAP and is now DIACAP. Many of these have more to do with procedures and policies then code. Steven On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification.
For collecting more sensitive information, certification becomes nearly impossible.
Thanks Jon
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
I've read all the messages in this thread, but I want to build on what Steven has to say here. Please allow one disclaimer so I don't get myself in trouble. Although I work for the federal government, I do not speak for the federal government nor from my position in the federal government. I'm simply a Drupal fan. Steven is right about the number of competing standards/programs and levels of reviews/audits/and certification that go on in the federal government. In many of the cases with FISMA (one of the standards Joe links to in his first message), the certification that takes place in most agencies are for systems and not in particular a single application such as Drupal. In many respects this is a bottom-up certification where each person in the chain certifies to their supervisor that a system follows agency rules, guidelines and federal laws in making sure the system is secure, properly patched, and all risks have been identified/minimized. It is a very difficult and laborious process in trying to policy put into practice. My agency utilizes a mix of Unix, Linux, and Windows systems. On our administrative PCs we run a mix of propriety and open source software (we've used Thunderbird as our official email client for years). On our operational systems all our applications and OS are open source or built in-house applications (utilizing Java, Tcl, Python, and variations of C). Federal agencies can and do adopt open source for their applications. In fact, I've seen the certification process knock out more propriety systems than open source systems especially if they're aging systems with little in the way of user access control granted. Every year, I have to have one necessary propriety system given an exception since it doesn't quite meet the requirements...and this system can't even be networked into the office LAN. Here is my guess as to why Drupal wasn't accepted, without getting deep into the policy. As I said at the start, from the system owner all the way up through the agency's management up to the CIO...EVERYONE has to certify that the system is secure and risks have been identified/minimized. This is especially true when it comes to personally identifiable information (PII) and/or if the system is outside the firewall. In order for all those people to sign on to the certification, they each have to have an understanding of the system. My guess is that someone was not comfortable with their own understanding of Drupal or open source to know whether the system would meet all the requirements (especially if they're racing to complete budgets/certifications during the final hours of the fiscal year. The fact is some agencies or managers in those agencies just don't have an understanding of the open source model and are very cautious in moving away from what they know. Eventually, we'll have to educate them. Joe, what strikes me as odd though is that before a project is approved these days the security requirements are understood. It sounds to me as if someone on the federal side didn't do their job in working with and informing the IT Security Officer about what this project was all about. Very interesting and I hope it never happens to me. BryanSD Steven Peck wrote:
Which government security review/standard?
There are dozens if not hundreds of competing standards/programs and levels of auditing and determination depending on which department you are dealing with. For example just one program was formerly known as DITSCAP and is now DIACAP.
Many of these have more to do with procedures and policies then code.
Steven
On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification.
For collecting more sensitive information, certification becomes nearly impossible.
Thanks Jon
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
Thanks for all the informative comments. The discussion has been most helpful. Its does appear that our case was the result of a decision of an individual (who maybe is not familiar with Drupal), and not a sign of general opposition by the government to Open Source software. That is good to know. Reading through NIST's documentation it seems that certification for software to meet the FISMA standards usually takes years. As others have pointed out, this is just one of many different standards that the government has for software. Its unclear to me where we could even start to certify Drupal for government use. The lesson here... approval of open source tools seems to happen on a case by case and department by department basis. Even if your project is approved by a Department heads, ask for a review of the proposal by the Security Officer in charge before work begins. In our case, I am not sure why that did not happen until half way through the project. We are just learning to work for the government. So this is a lesson we will take carefully into all our work from here on. I have contacted NIST to see if I could sit down and chat with someone to bring up some of our questions posted in this thread. If I do get a conversation, I will be sure to post the comments back to the group here. I have also asked them for alist of the approved content management systems so we can get an idea of which companies/projects have achieved certification. Thanks Jon On Tue, Sep 30, 2008 at 8:47 PM, Bryan Ruby <bryan@cmsreport.com> wrote:
I've read all the messages in this thread, but I want to build on what Steven has to say here. Please allow one disclaimer so I don't get myself in trouble. Although I work for the federal government, I do not speak for the federal government nor from my position in the federal government. I'm simply a Drupal fan.
Steven is right about the number of competing standards/programs and levels of reviews/audits/and certification that go on in the federal government. In many of the cases with FISMA (one of the standards Joe links to in his first message), the certification that takes place in most agencies are for systems and not in particular a single application such as Drupal. In many respects this is a bottom-up certification where each person in the chain certifies to their supervisor that a system follows agency rules, guidelines and federal laws in making sure the system is secure, properly patched, and all risks have been identified/minimized. It is a very difficult and laborious process in trying to policy put into practice.
My agency utilizes a mix of Unix, Linux, and Windows systems. On our administrative PCs we run a mix of propriety and open source software (we've used Thunderbird as our official email client for years). On our operational systems all our applications and OS are open source or built in-house applications (utilizing Java, Tcl, Python, and variations of C). Federal agencies can and do adopt open source for their applications. In fact, I've seen the certification process knock out more propriety systems than open source systems especially if they're aging systems with little in the way of user access control granted. Every year, I have to have one necessary propriety system given an exception since it doesn't quite meet the requirements...and this system can't even be networked into the office LAN.
Here is my guess as to why Drupal wasn't accepted, without getting deep into the policy. As I said at the start, from the system owner all the way up through the agency's management up to the CIO...EVERYONE has to certify that the system is secure and risks have been identified/minimized. This is especially true when it comes to personally identifiable information (PII) and/or if the system is outside the firewall. In order for all those people to sign on to the certification, they each have to have an understanding of the system. My guess is that someone was not comfortable with their own understanding of Drupal or open source to know whether the system would meet all the requirements (especially if they're racing to complete budgets/certifications during the final hours of the fiscal year. The fact is some agencies or managers in those agencies just don't have an understanding of the open source model and are very cautious in moving away from what they know. Eventually, we'll have to educate them.
Joe, what strikes me as odd though is that before a project is approved these days the security requirements are understood. It sounds to me as if someone on the federal side didn't do their job in working with and informing the IT Security Officer about what this project was all about. Very interesting and I hope it never happens to me.
BryanSD
Steven Peck wrote:
Which government security review/standard?
There are dozens if not hundreds of competing standards/programs and levels of auditing and determination depending on which department you are dealing with. For example just one program was formerly known as DITSCAP and is now DIACAP.
Many of these have more to do with procedures and policies then code.
Steven
On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints <saintsjd@gmail.com> wrote:
The names of Citizens are collected on the website along with some personal contact information. We were told that our application required the Medium level security certification.
For collecting more sensitive information, certification becomes nearly impossible.
Thanks Jon
On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Saints schrieb:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Just out of interest: What kind of information are we talking about? Tax numbers, bank accounts?
[...]
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
Seems like a showcase site only.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK BX1vLaioeWG348yH/V/ufKs= =yFhK -----END PGP SIGNATURE-----
Every government department for which I worked also used Windows how many security holes in that have been fixed in just this year, let alone the last several? So much for proprietary products being secure Many of the projects on which I worked also used open source products including for a large department that is involved every time you travel by air. On that same project, I was responsible for QA but it was not my only job. The agency had 18 people on their QA staff (don't ask me why) and every one of those people felt that they HAD to find something to write up. After a half dozen iterations, the company I worked for (a very large services organization) had to tell their management to stop that nonsense. The agency's management can get around virtually any policy if they want. However, I never found an agency that cared about the taxpayer's money even though they are also taxpayers. I would encourage you to visit with NIST. My guess is that there is a simple misunderstanding, quite possibly arising from not having to pay for open source products (they can, however, make a donation if they really want to spend money). Nancy E. Wichmann, PMP Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.0/1685 - Release Date: 9/22/2008 4:08 PM
I think the agency in question just didn't get the memo. The U.S. Government, including the Department of Defense, is using open source software in a big way. See the following links: * http://www.gcn.com/blogs/tech/47100.html -- Quote from the above link: ''It's worth noting, though, that the House Armed Forces Committee addresses the matter. "The committee acknowledges the availability of proprietary software and encourages its development and acquisition as necessary and appropriate. The committee believes, however, the widespread implementation of an OSS standard will not only lead to more secure software, but will also foster broader competition by minimizing traditional constraints imposed by an overreliance on proprietary software systems," it stated.'' * http://www.terrybollinger.com/dodfoss/dodfoss_html/index.html -- A 2003 report by Terry Bollinger of The Mitre Corp. on the use of FOSS in the U.S. Dept. of Defense. The Dept. of Defense is likely the single largest spender in the Drupal market; it's just behind the scenes. According to the same database referred to above, Windows had 694 security holes in the last 3 years -- considerably more than Drupal over the same period. On Tue, Sep 30, 2008 at 1:14 PM, Nancy Wichmann <nan_wich@bellsouth.net>wrote:
Every government department for which I worked also used Windows – how many security holes in that have been fixed in just this year, let alone the last several? So much for proprietary products being secure…
Chris Johnson wrote:
The Dept. of Defense is likely the single largest spender in the Drupal market;
Just think if the DOD contributed 1% of 1% of its budget to OSS, the market would be booming with products. Nancy E. Wichmann, PMP Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.0/1685 - Release Date: 9/22/2008 4:08 PM
Consider that one big difference between proprietary and open source is lobbying and existing contract relationships. Chris DiBona I believe spoke about how a defense contractor tried to get OSS banned from military systems, but after an internal audit of such systems revealed that a huge % of such systems (30%? More? I confess I don't recall) depended upon OSS, the DOD rejected the proposal. There is more to this than simple perceptions about FOSS. Laura On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
Indeed. In the article I provided the first link to, there is also this quote: "Not everyone has been pleased with how the bill calls out open-source software by name, though. Analysts at the Business Software Alliance met with members of the committee to voice their concern that the bill unfavorably offers open-source software products an unfair competitive advantage over other commercial software, according to a BSA spokesperson who declined to be named." I think we all know who the BSA is, and who they represent. Clearly the proprietary software vendors are upset and lobbying against FOSS. On Tue, Sep 30, 2008 at 3:55 PM, Laura Scott <pinglaura@gmail.com> wrote:
Consider that one big difference between proprietary and open source is lobbying and existing contract relationships. Chris DiBona I believe spoke about how a defense contractor tried to get OSS banned from military systems, but after an internal audit of such systems revealed that a huge % of such systems (30%? More? I confess I don't recall) depended upon OSS, the DOD rejected the proposal. There is more to this than simple perceptions about FOSS.
Laura
On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:
On a recent project for the US government, half way through the development process, our work was stopped by a government security review which said that Drupal (and open source software in general) is not suitable for use in government projects that house personal information due to security concerns.
Because our project had been approved by higher ups within the department, we were paid for our work up to that point and asked to stop. Now, its up to the tax payers to foot a much larger bill for other developers to implement a proprietary and more "secure" (or secretive) solution.
The "transparency" of the Drupal project was one of the government's big objections. In their eyes, disclosing and fixing securit holes in a timely manner, is not the same thing as security. They pointed out the 100+ security disclosures since drupal 4.0 as a reason that the system could not be used. We noted that all these disclosures where quickly addressed, but that did not seem to matter.
I notice other governments around the world are using Drupal with great success and savings to citizens: http://buytaert.net/new-zealand-government-using-drupal
The standards we would need to meet with drupal are: http://csrc.nist.gov/groups/SMA/fisma/index.html
My questions are the following: - Have any other developers run into this cerfication problem before? - Is anyone in the drupal community currently working to get Drupal certified for use in US Government projects? - Does anyone know exactly what cerfication would require from a development standpoint?
If there is interest in investigating this type of certification further, let me know. NIST, the department that certifies software, is just down the road from me. I could go investigate further.
Thanks Jon
participants (23)
-
Bryan Ruby -
Chris Johnson -
Chuck D'Antonio -
Damien Tournoud -
Dan Robinson -
Daniel F. Kudwien -
Derek Wright -
Drupal Developer -
Eric Goldhagen -
Gerhard Killesreiter -
Jon Saints -
Khalid Baheyeldin -
Laura Scott -
matt@mattfarina.com -
Michael Favia -
Michael Prasuhn -
Mikkel Høgh -
Nancy Wichmann -
Nathaniel Catchpole -
Patrick Teglia -
Steven Peck -
Victor Kane -
Web Developer