A question came across the Drupal Developer's list today asking whether Drupal could auto-update itself, like WordPress. As someone who thinks about security a lot, the very thought of this horrifies me.
It's a bad idea for several reasons, but the biggest reason:
That's the essence of a question I got today. And it's not one that can be answered easily, because there's no such thing as a site being "secure." It's not an either/or question, it's really a "how much" type of question. How hot is it today?
Not 2 weeks after my newsletter calling out how people take for granted that nothing bad will happen to their web sites, two of the biggest providers went down yesterday, Amazon and Akamai, in several separate incide
All the planning and preparation in the world won't prevent an incident, but it can greatly reduce the consequences.
Nothing better prepares you for responding to disaster than experience. In the world of web applications, sometimes we act as firefighters, coming in to rescue the smoldering remains of a hacked site, a crashed server, or an unexpected traffic burst.
No matter how diligent you are at preventing vulnerabilities and securing your environment, it's impossible to be completely secure on the Internet. What you can do is plan for how to limit the damage that people can do when they manage to compromise some part of your system. This line of thinking is called "Defense in depth" -- you can't just apply security updates and call it good.
It amazes me that still in 2011, the standard way web designers upload code to a server is FTP ("File transfer protocol"), a protocol that is completely insecure, easy to snoop, slow, hard to use, and often problematic through firewalls. There are many better ways.
How would losing your web site affect your business?
That might seem like a silly question, but a surprising number of small organizations don't think it can happen to them. Think again -- web sites get lost all the time, through a variety of means. The server hosting your site might have a hardware failure. Your site might get hacked. Your web developer might accidentally delete something critical. Your host might go out of business, leaving you stranded. If you're in the tech world, you hear about these incidents all the time.
Just the other day I got a request for proposal for hosting, complete with a statement that they knew of some hosting that would cost $15/month. The implication being that they were looking for a hosting proposal that would not exceed that amount.
The Register is running a story today about a botnet--a network of compromised computers--that is under the control of hackers. Is your computer one of the bots? For a surprising number of people, the answer could be yes.
