John Locke's blog
A couple weeks ago NPR's Planet Money and This American Life had some really great episodes about the broken patent system. These are great stories for people who don't understand why patents are a problem, but they overlooked a couple of crucial points.
Before doing any changes to your web site, the first thing to figure out are your goals. As a web development shop, we focus on building web sites that create measurable value for our customers, aligned with their goals.
Some common goals:
- Help me close more sales from people who I send to my web site (brochure/information)
- Bring me new customers (online marketing, SEO)
- Help me manage sales leads (CRM)
- Increase sales (e-commerce)
How you should revamp your site completely depends upon which of those goals (or whatever other goals you may have) are most important for your business at the current time.
Yesterday Drupal.org got hacked, and potentially all the password hashes on the site fell into malicious hands. According to the security team's announcement, the attack was not a result of a Drupal vulnerability, but of other, as yet undisclosed, software on the server.
Drupal has long had one of the best security track records among open source CMSs. The security team does a great job of tracking down even the smallest exploits, often removing modules that maintainers choose not to fix. The vast majority of fixes and security updates we see are protecting against "privilege escalation" -- vulnerabilities that can only be exploited by users who already have some level of administrative access.
For example, there was a webform update yesterday to close a hole that allowed somebody who already had permission to create or edit a webform, to gain full administrative access. We use webforms on a huge number of sites, but we have never set up a configuration where we give an untrusted user the power to create or edit webforms. And yet on a large, community driven site, you might want to give some people the ability to create a survey without further access. This kind of strict, detailed review leads to a project that has a high level of security baked in. It's very rare that we see the more dangerous kinds of exploits -- SQL Injection, Cross-site scripting (XSS), or Remote Code Execution.
This incident highlights that there is more to security than just the software. In this case, something else in the hosting environment provided a weakness that allowed an attacker to break in. What was it? They haven't said, so far, but we can speculate on some possibilities:
Hey, that's not what I was thinking!
That's a very common complaint customers have with developers, when they receive the result of weeks or months of hard work. And it indicates a failure of planning.
I was talking with a new client the other day who spends a lot of money on Search Engine Optimization (SEO) and Search Engine Marketing (SEM) to try to get people to visit his online store. And yet his blog -- what search engines value most -- was on wordpress.com.
While Drupal is our primary focus here at Freelock, we've been experimenting with Ajax and rich client applications for a lot longer. The first time I used Ajax to populate a table of data was back in the days of Internet Explorer 5.5, circa 2001.
At Freelock, we've been adopting a pattern for git branch management called Git Flow. If you haven't run across git flow before, go check out this article to get the basic concepts: A successful Git branching model.
What a pleasure to work with Freelock in launching our family website for the West Seattle community. John and Jill were vital to our success. We quickly saw that Drupal could handle our scope of requirements and thrilled to find that many of our wish list features were doable with such a capable staff. Communication and support are out of this world impressive with the Freelock team and set the standard for the industry. On time and in budget. Freelock is the clear choice.