[development] Certify Drupal for use in Government (US) Projects

Eric Goldhagen eric at openflows.com
Wed Oct 1 14:21:38 UTC 2008 

I think that the process currently in place has proven itself over time to
be reliable and accountable to the community.

There are very few restrictions in place that would prevent a member of
the Drupal community from joining the security team, but I am glad that
there is a vetting process that ensures that the skills and motivation of
the security team members is in-line with the goals of that team and the
community-at-large.

The security review and resolution process at drupal is one of the things
that has allowed my company to use drupal as a part of systems that handle
ePHI (electronic protected health information) which have been
successfully audited as HIPAA (Health Insurance Portability and
Accountability Act) compliant.

--Eric

On Wed, October 1, 2008 10:08 am, Web Developer wrote:
> Is it everybody here so quick to see another person logic flaw, where in
fact you just have to think a little further?
>
> I did not suggest that you have to give such detail description that
will expose exploit right away.
> But I'm sure in most cases experienced developer/tester can come up with
explanatory description without exposing too much.
> I agree that some problem could be so obvious so any explanation will
expose exploit info. Okay, but it is only one case.
> There are many problems that are not so obvious.
>
> Alex
>
>
> Patrick Teglia wrote:
>> it does not mean that exploit information has to be exposed. But detail
description of the problem can help on its own even before solution
come
>> out.
>> I am sorry, but even a guy with a Security+ certification (in other words,
>> me :) ) can see the flawed logic in this statement.  A detailed
description
>> of the problem is a description of the vulnerability that attackers would
>> EXACTLY be looking for.
>> Patrick Teglia
>> On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd at gmail.com> wrote:
>>> it does not mean that exploit information has to be exposed. But
detail
>>> description of the problem can help on its own even before solution come
>>> out.
>

More information about the development mailing list