FAQ

[Drupal] [development] Certify Drupal for use in Government (US) Projects

Jon Saints
Sep 30, 2008 at 3:14 pm
On a recent project for the US government, half way through the development
process, our work was stopped by a government security review which said
that Drupal (and open source software in general) is not suitable for use in
government projects that house personal information due to security
concerns.

Because our project had been approved by higher ups within the department,
we were paid for our work up to that point and asked to stop. Now, its up
to the tax payers to foot a much larger bill for other developers to
implement a proprietary and more "secure" (or secretive) solution.

The "transparency" of the Drupal project was one of the government's big
objections. In their eyes, disclosing and fixing securit holes in a timely
manner, is not the same thing as security. They pointed out the 100+
security disclosures since drupal 4.0 as a reason that the system could not
be used. We noted that all these disclosures where quickly addressed, but
that did not seem to matter.

I notice other governments around the world are using Drupal with great
success and savings to citizens:
http://buytaert.net/new-zealand-government-using-drupal

The standards we would need to meet with drupal are:
http://csrc.nist.gov/groups/SMA/fisma/index.html

My questions are the following:
- Have any other developers run into this cerfication problem before?
- Is anyone in the drupal community currently working to get Drupal
certified for use in US Government projects?
- Does anyone know exactly what cerfication would require from a
development standpoint?

If there is interest in investigating this type of certification further,
let me know. NIST, the department that certifies software, is just down the
road from me. I could go investigate further.

Thanks
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080930/c1d312bc/attachment-0001.htm
reply

Search Discussions

42 responses

  • Matt at Sep 30, 2008 at 3:24 pm
    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might
    help to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases
    ago. 100 + advisories over 10 major releases isn't as many as the 3
    which the numbering might look like. Before drupal 5 the major
    releases were point releases and not full number releases. On top of
    that, the security advisories cover contributed modules and have
    included other libraries used by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's
    handled behind closed doors until a fix and advisory is sent out.
    Those advisories come out on Wednesdays so they can immediately be
    acted on.

    I would be very curious as to what it would take to certification as
    well as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com>:
    On a recent project for the US government, half way through the development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the department,
    we were paid for our work up to that point and asked to stop. Now, its up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could not
    be used. We noted that all these disclosures where quickly addressed, but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down the
    road from me. I could go investigate further.

    Thanks
    Jon
  • Jon Saints at Sep 30, 2008 at 3:30 pm
    I agree with your assessment of the misconceptions:

    If you search their database you will see that most of vulnerabilities they
    are pointing to are for contributed modules. That said, this is the
    explanation we received. There seems to be no room to argue in this case
    due to deadlines for the project.

    The Database:
    http://nvd.nist.gov/

    For future projects we could definitely argue to have these misconceptions
    clarified in the governments eyes.

    Thanks
    Jon

    On Tue, Sep 30, 2008 at 9:24 AM, wrote:

    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might help
    to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago.
    100 + advisories over 10 major releases isn't as many as the 3 which the
    numbering might look like. Before drupal 5 the major releases were point
    releases and not full number releases. On top of that, the security
    advisories cover contributed modules and have included other libraries used
    by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is reported
    it's not opened up to the world. If the issue is valid it's handled behind
    closed doors until a fix and advisory is sent out. Those advisories come out
    on Wednesdays so they can immediately be acted on.

    I would be very curious as to what it would take to certification as well
    as their concerns.

    Matt


    Quoting Jon Saints <saintsjd at gmail.com>:

    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use
    in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the department,
    we were paid for our work up to that point and asked to stop. Now, its up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could
    not
    be used. We noted that all these disclosures where quickly addressed, but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down
    the
    road from me. I could go investigate further.

    Thanks
    Jon
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/f32b56ae/attachment-0001.htm
  • Drupal Developer at Oct 1, 2008 at 7:40 am
    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's
    handled behind closed doors until a fix and advisory is sent out." /end
    of citation/

    I thought that Drupal is an open community of open source developers
    working under GPL license.
    Does it mean that ALL issues have to be openly reported to all community
    for everybody to review?
    Don't you all think that handling security issues behind closed doors
    until a fix and advisory will be sent out is sound more like corporate
    way of thinking on a way to develop something proprietary?

    I'm very concern about that and invite everybody to collaborate on this one.

    Does Matt represent a real situation at this matter in Drupal
    development community?
    If not, then I'm sure that many people would like to know exactly what
    the process is for handling security issues from the moment they have
    been reported?

    Thanks in advance,
    Alex


    matt at mattfarina.com wrote:
    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might
    help to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases
    ago. 100 + advisories over 10 major releases isn't as many as the 3
    which the numbering might look like. Before drupal 5 the major
    releases were point releases and not full number releases. On top of
    that, the security advisories cover contributed modules and have
    included other libraries used by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's
    handled behind closed doors until a fix and advisory is sent out.
    Those advisories come out on Wednesdays so they can immediately be
    acted on.

    I would be very curious as to what it would take to certification as
    well as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com>:
    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for
    use in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the
    department,
    we were paid for our work up to that point and asked to stop. Now,
    its up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system
    could not
    be used. We noted that all these disclosures where quickly
    addressed, but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification
    further,
    let me know. NIST, the department that certifies software, is just
    down the
    road from me. I could go investigate further.

    Thanks
    Jon
  • Victor Kane at Oct 1, 2008 at 7:59 am

    On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer wrote:
    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is reported
    it's not opened up to the world. If the issue is valid it's handled behind
    closed doors until a fix and advisory is sent out." /end of citation/

    I thought that Drupal is an open community of open source developers working
    under GPL license.
    Does it mean that ALL issues have to be openly reported to all community for
    everybody to review?
    Don't you all think that handling security issues behind closed doors until
    a fix and advisory will be sent out is sound more like corporate way of
    thinking on a way to develop something proprietary?
    It's a GPL license, that's why I am sure the security team is open to
    anyone who is interested in helping out on that very important front.

    But GPL doesn't mean that we have to be stupid as a community, and
    advertise exploits before a fix can be made and people given a chance
    to have a security fix to use.

    Just as the corporate world, as we are finding out all over the world
    these days, certainly has no "monopoly over intelligence", or over
    doing what's best for all, open source communities can be smart too.

    There's nothing proprietary about that. Quite the opposite, in fact:
    defending ourselves against conspiracies to wreak havoc certainly has
    to be the right of open source communities,

    Victor Kane
    http://awebfactory.com.ar
    I'm very concern about that and invite everybody to collaborate on this one.

    Does Matt represent a real situation at this matter in Drupal development
    community?
    If not, then I'm sure that many people would like to know exactly what the
    process is for handling security issues from the moment they have been
    reported?

    Thanks in advance,
    Alex


    matt at mattfarina.com wrote:
    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might help
    to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago.
    100 + advisories over 10 major releases isn't as many as the 3 which the
    numbering might look like. Before drupal 5 the major releases were point
    releases and not full number releases. On top of that, the security
    advisories cover contributed modules and have included other libraries used
    by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's handled
    behind closed doors until a fix and advisory is sent out. Those advisories
    come out on Wednesdays so they can immediately be acted on.

    I would be very curious as to what it would take to certification as well
    as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com>:
    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use
    in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the
    department,
    we were paid for our work up to that point and asked to stop. Now, its
    up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could
    not
    be used. We noted that all these disclosures where quickly addressed,
    but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down
    the
    road from me. I could go investigate further.

    Thanks
    Jon
  • Drupal Developer at Oct 1, 2008 at 8:19 am
    Don't get me wrong. Nobody talking here about stupidity.
    All what I meant is all developers in the community would like to have
    at least a clue about what security issues are discovered.
    And deal with them on temporary basis on they own sites until final
    solution will be published.
    I'm not talking about detail explanation of what and how reported
    security issue can harm Drupal site. But may be some clue in order to
    deal with it.
    Or may be we need some special procedure to subscribe to such information.
    But I'm sure that many of us would like to know what is going on with
    fresh security discoveries.


    Victor Kane wrote:
    On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer wrote:
    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is reported
    it's not opened up to the world. If the issue is valid it's handled behind
    closed doors until a fix and advisory is sent out." /end of citation/

    I thought that Drupal is an open community of open source developers working
    under GPL license.
    Does it mean that ALL issues have to be openly reported to all community for
    everybody to review?
    Don't you all think that handling security issues behind closed doors until
    a fix and advisory will be sent out is sound more like corporate way of
    thinking on a way to develop something proprietary?
    It's a GPL license, that's why I am sure the security team is open to
    anyone who is interested in helping out on that very important front.

    But GPL doesn't mean that we have to be stupid as a community, and
    advertise exploits before a fix can be made and people given a chance
    to have a security fix to use.

    Just as the corporate world, as we are finding out all over the world
    these days, certainly has no "monopoly over intelligence", or over
    doing what's best for all, open source communities can be smart too.

    There's nothing proprietary about that. Quite the opposite, in fact:
    defending ourselves against conspiracies to wreak havoc certainly has
    to be the right of open source communities,

    Victor Kane
    http://awebfactory.com.ar
    I'm very concern about that and invite everybody to collaborate on this one.

    Does Matt represent a real situation at this matter in Drupal development
    community?
    If not, then I'm sure that many people would like to know exactly what the
    process is for handling security issues from the moment they have been
    reported?

    Thanks in advance,
    Alex


    matt at mattfarina.com wrote:
    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might help
    to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago.
    100 + advisories over 10 major releases isn't as many as the 3 which the
    numbering might look like. Before drupal 5 the major releases were point
    releases and not full number releases. On top of that, the security
    advisories cover contributed modules and have included other libraries used
    by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's handled
    behind closed doors until a fix and advisory is sent out. Those advisories
    come out on Wednesdays so they can immediately be acted on.

    I would be very curious as to what it would take to certification as well
    as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com>:
    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use
    in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the
    department,
    we were paid for our work up to that point and asked to stop. Now, its
    up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could
    not
    be used. We noted that all these disclosures where quickly addressed,
    but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down
    the
    road from me. I could go investigate further.

    Thanks
    Jon
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/0ca71db9/attachment-0001.htm
  • Nathaniel Catchpole at Oct 1, 2008 at 8:44 am

    I'm not talking about detail explanation of what and how reported security
    issue can harm Drupal site. But may be some clue in order to deal with it.
    Our public SAs don't give details of how to exploit vulnerabilities, while
    of course the commit logs are there (but it's not always obvious from them
    either) - this is by design so that we're not simply giving out instructions
    to people on how to hack sites which don't upgrade in a timely fashion (of
    which there are many). However, to fix an issue, you need to know how to
    exploit it, so I'm not really sure what you're asking for here.

    If a contributed module is extremly insecure and there's not an immediate
    fix for it, we unpublish the module until an SA can be released for it (and
    you'll be informed that the module has been 'revoked' by update status).

    Or may be we need some special procedure to subscribe to such information.
    You can get SAs as soon as they're published via e-mail or RSS from
    http://drupal.org/security.

    But I'm sure that many of us would like to know what is going on with fresh
    security discoveries.
    Those who want to help fix new discoveries can offer to join the security
    team, I don't think 'would like to know what's going on' is sufficient
    though.

    Nat



    Victor Kane wrote:

    On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd at gmail.com> wrote:

    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is reported
    it's not opened up to the world. If the issue is valid it's handled behind
    closed doors until a fix and advisory is sent out." /end of citation/

    I thought that Drupal is an open community of open source developers working
    under GPL license.
    Does it mean that ALL issues have to be openly reported to all community for
    everybody to review?
    Don't you all think that handling security issues behind closed doors until
    a fix and advisory will be sent out is sound more like corporate way of
    thinking on a way to develop something proprietary?


    It's a GPL license, that's why I am sure the security team is open to
    anyone who is interested in helping out on that very important front.

    But GPL doesn't mean that we have to be stupid as a community, and
    advertise exploits before a fix can be made and people given a chance
    to have a security fix to use.

    Just as the corporate world, as we are finding out all over the world
    these days, certainly has no "monopoly over intelligence", or over
    doing what's best for all, open source communities can be smart too.

    There's nothing proprietary about that. Quite the opposite, in fact:
    defending ourselves against conspiracies to wreak havoc certainly has
    to be the right of open source communities,

    Victor Kanehttp://awebfactory.com.ar

    I'm very concern about that and invite everybody to collaborate on this one.

    Does Matt represent a real situation at this matter in Drupal development
    community?
    If not, then I'm sure that many people would like to know exactly what the
    process is for handling security issues from the moment they have been
    reported?

    Thanks in advance,
    Alex

    matt at mattfarina.com wrote:

    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might help
    to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago.
    100 + advisories over 10 major releases isn't as many as the 3 which the
    numbering might look like. Before drupal 5 the major releases were point
    releases and not full number releases. On top of that, the security
    advisories cover contributed modules and have included other libraries used
    by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's handled
    behind closed doors until a fix and advisory is sent out. Those advisories
    come out on Wednesdays so they can immediately be acted on.

    I would be very curious as to what it would take to certification as well
    as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com> <saintsjd at gmail.com>:


    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use
    in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the
    department,
    we were paid for our work up to that point and asked to stop. Now, its
    up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could
    not
    be used. We noted that all these disclosures where quickly addressed,
    but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down
    the
    road from me. I could go investigate further.

    Thanks
    Jon
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/904e17d7/attachment.htm
  • Drupal Developer at Oct 1, 2008 at 9:29 am
    Okay, what is procedure then in order to join security forces here?
    If that is the only way to get information necessary to get the picture
    about latest security issues.
    Thanks in advance,
    Alex


    Nathaniel Catchpole wrote:
    I'm not talking about detail explanation of what and how reported security
    issue can harm Drupal site. But may be some clue in order to deal with it.
    Our public SAs don't give details of how to exploit vulnerabilities, while
    of course the commit logs are there (but it's not always obvious from them
    either) - this is by design so that we're not simply giving out instructions
    to people on how to hack sites which don't upgrade in a timely fashion (of
    which there are many). However, to fix an issue, you need to know how to
    exploit it, so I'm not really sure what you're asking for here.

    If a contributed module is extremly insecure and there's not an immediate
    fix for it, we unpublish the module until an SA can be released for it (and
    you'll be informed that the module has been 'revoked' by update status).


    Or may be we need some special procedure to subscribe to such information.
    You can get SAs as soon as they're published via e-mail or RSS from
    http://drupal.org/security.


    But I'm sure that many of us would like to know what is going on with fresh
    security discoveries.
    Those who want to help fix new discoveries can offer to join the security
    team, I don't think 'would like to know what's going on' is sufficient
    though.

    Nat


    Victor Kane wrote:

    On Wed, Oct 1, 2008 at 12:40 AM, Drupal Developer <lapurd at gmail.com> wrote:

    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is reported
    it's not opened up to the world. If the issue is valid it's handled behind
    closed doors until a fix and advisory is sent out." /end of citation/

    I thought that Drupal is an open community of open source developers working
    under GPL license.
    Does it mean that ALL issues have to be openly reported to all community for
    everybody to review?
    Don't you all think that handling security issues behind closed doors until
    a fix and advisory will be sent out is sound more like corporate way of
    thinking on a way to develop something proprietary?


    It's a GPL license, that's why I am sure the security team is open to
    anyone who is interested in helping out on that very important front.

    But GPL doesn't mean that we have to be stupid as a community, and
    advertise exploits before a fix can be made and people given a chance
    to have a security fix to use.

    Just as the corporate world, as we are finding out all over the world
    these days, certainly has no "monopoly over intelligence", or over
    doing what's best for all, open source communities can be smart too.

    There's nothing proprietary about that. Quite the opposite, in fact:
    defending ourselves against conspiracies to wreak havoc certainly has
    to be the right of open source communities,

    Victor Kanehttp://awebfactory.com.ar

    I'm very concern about that and invite everybody to collaborate on this one.

    Does Matt represent a real situation at this matter in Drupal development
    community?
    If not, then I'm sure that many people would like to know exactly what the
    process is for handling security issues from the moment they have been
    reported?

    Thanks in advance,
    Alex

    matt at mattfarina.com wrote:

    Jon,

    Thanks for your interest in this. I'm interested in this as well.

    Some of their concerns seem to be over some misconceptions that might help
    to be cleared up.

    Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago.
    100 + advisories over 10 major releases isn't as many as the 3 which the
    numbering might look like. Before drupal 5 the major releases were point
    releases and not full number releases. On top of that, the security
    advisories cover contributed modules and have included other libraries used
    by drupal modules, such as getID3.

    The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's handled
    behind closed doors until a fix and advisory is sent out. Those advisories
    come out on Wednesdays so they can immediately be acted on.

    I would be very curious as to what it would take to certification as well
    as their concerns.

    Matt

    Quoting Jon Saints <saintsjd at gmail.com> <saintsjd at gmail.com>:


    On a recent project for the US government, half way through the
    development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use
    in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the
    department,
    we were paid for our work up to that point and asked to stop. Now, its
    up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a
    timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could
    not
    be used. We noted that all these disclosures where quickly addressed,
    but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down
    the
    road from me. I could go investigate further.

    Thanks
    Jon

    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/6a23367a/attachment-0001.htm
  • Gerhard Killesreiter at Oct 1, 2008 at 9:59 am

    Drupal Developer schrieb:
    Okay, what is procedure then in order to join security forces here?
    If that is the only way to get information necessary to get the picture
    about latest security issues.
    Based on your comments I'll veto you joining the team.

    Cheers,
    Gerhard
  • Drupal Developer at Oct 1, 2008 at 10:12 am
    In my view it is just demonstration of corporate nature of your
    thinking. BTW, if somebody in the open community got power to veto
    somebody out from doing something good, then how do you think it is
    reflecting on image of this community as "open" one?
    It is not the way to operate in the open community of developers.
    If I have some different opinion on something like how vulnerabilities
    have to be reported to community before they got fixed, it does not mean
    that I can not help security team to fix it.


    Gerhard Killesreiter wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Drupal Developer schrieb:
    Okay, what is procedure then in order to join security forces here?
    If that is the only way to get information necessary to get the picture
    about latest security issues.
    Based on your comments I'll veto you joining the team.

    Cheers,
    Gerhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFI40oRfg6TFvELooQRAnI8AJ0Znjj7GuEqtjwVQmFUXp1c4PLqRACeM202
    jt0q7PeW1EdnQgz3qdBIV3s=
    =m+Mo
    -----END PGP SIGNATURE-----
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/55a7fbdb/attachment.htm
  • Damien Tournoud at Oct 1, 2008 at 10:21 am

    On Wed, Oct 1, 2008 at 12:12 PM, Drupal Developer wrote:

    In my view it is just demonstration of corporate nature of your thinking.
    BTW, if somebody in the open community got power to veto somebody out from
    doing something good, then how do you think it is reflecting on image of
    this community as "open" one?
    It is not the way to operate in the open community of developers.
    If I have some different opinion on something like how vulnerabilities have
    to be reported to community before they got fixed, it does not mean that I
    can not help security team to fix it.
    "Corporate nature" of Gerhard? You are so funny.

    First, let me point out that "Drupal Developer" is not that good a name for
    sending emails to a community mailing list (that, or your mother was really
    angry when she named you). You are not applying to yourself the transparency
    principles that you are promoting.

    Then, our community (and most other opensource communities) values action
    and contribution against anything else. That's why Gerhard speak has a lot
    of value here.

    Damien Tournoud
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/966ab15e/attachment.htm
  • Gerhard Killesreiter at Oct 1, 2008 at 10:56 am

    Drupal Developer schrieb:

    In my view it is just demonstration of corporate nature of your
    thinking.
    The nature of my thinking is of no concern to you.
    BTW, if somebody in the open community got power to veto somebody
    "veto" was not correctly chosen, "vote against" would be more correct.
    out from doing something good,
    What good would you want to do? To me it seems your main interest
    would be to get to know potential security issues before others.
    then how do you think it is
    reflecting on image of this community as "open" one? It is not the
    I've personally never been a proponent of "everything must be open at
    all cost".
    way to operate in the open community of developers. If I have some
    I am not sure, but I guess every other OS security team operates in
    the same way.
    different opinion on something like how vulnerabilities have to be
    reported to community before they got fixed, it does not mean that I
    can not help security team to fix it.
    If you are actually qualified to work on the security team and your
    motives are others than what I think they are, you are welcome to
    apply at security at drupal.org.

    Cheers,
    Gerhard
  • Derek Wright at Oct 1, 2008 at 10:21 am

    On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:

    Okay, what is procedure then in order to join security forces here?
    If that is the only way to get information necessary to get the
    picture about latest security issues.
    Nat's email already told you this:

    On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:

    Those who want to help fix new discoveries can offer to join the
    security team, I don't think 'would like to know what's going on'
    is sufficient though.


    As a member of the (overworked and understaffed) security team, I can
    tell you right now that we'd reject your application on these
    grounds. And not because we're demonstrating a "corporate" thinking
    process. We're trying to protect the very openness of the developer
    community you're trying to be so concerned with. If you said "I'm
    really interested in security and want to help fix vulnerabilities,
    here are my skills I'm bringing to the table, references that prove
    [sic] I'm not malicious, etc", we'd strongly consider it. But, based
    on the motivation you've already put forward in this thread -- "I
    wanna be the first to know so I can try to protect my sites" -- is
    not going to fly.

    On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
    All what I meant is all developers in the community would like to
    have at least a clue about what security issues are discovered.
    http://drupal.org/security
    And deal with them on temporary basis on they own sites until final
    solution will be published.
    I'm not talking about detail explanation of what and how reported
    security issue can harm Drupal site. But may be some clue in order
    to deal with it.
    Again, the only way to give a "clue in order to deal with it" is to
    "give a clue how to exploit it". I'm sure the hackers reading that
    information will be much better suited to act on these clues than the
    average site admins who aren't well versed in security exploits.
    Or may be we need some special procedure to subscribe to such
    information.
    Any "special procedure to subscribe to such information" that scales
    to a group of people larger than the security team can't possibly
    keep the "bad" people out and only let in "good" people. It's
    already a risk we take letting new forces join the security team
    itself. No way could we have any reasonable hope of keeping the
    "initial clue about possible vulnerabilities" list secure. Malicious
    users *will* read that information, and use it to harm Drupal sites.
    But I'm sure that many of us would like to know what is going on
    with fresh security discoveries.

    Indeed, especially hackers. ;) Drupal follows a long established
    policy of "Responsible disclosure"[1] of discovered vulnerabilities.
    Nothing about this contradicts the GPL or the openness of the Drupal
    community in general. In fact, if we did what you suggest, I'm sure
    far fewer people would be using Drupal (rightfully so).

    Cheers,
    -Derek (dww)

    [1] http://www.sans.org/reading_room/whitepapers/threats/932.php
  • Web Developer at Oct 1, 2008 at 10:37 am
    It is just sad that the only thing you see in my notes is intention to
    get this kind of information at soon as possible. But you are denning to
    see that I also can help you.
    Do not you think that it is the one of the natural reason to join any
    kind of security team, and second reason to fix those problem?


    Derek Wright wrote:
    On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:

    Okay, what is procedure then in order to join security forces here?
    If that is the only way to get information necessary to get the
    picture about latest security issues.
    Nat's email already told you this:

    On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:

    Those who want to help fix new discoveries can offer to join the
    security team, I don't think 'would like to know what's going on' is
    sufficient though.


    As a member of the (overworked and understaffed) security team, I can
    tell you right now that we'd reject your application on these
    grounds. And not because we're demonstrating a "corporate" thinking
    process. We're trying to protect the very openness of the developer
    community you're trying to be so concerned with. If you said "I'm
    really interested in security and want to help fix vulnerabilities,
    here are my skills I'm bringing to the table, references that prove
    [sic] I'm not malicious, etc", we'd strongly consider it. But, based
    on the motivation you've already put forward in this thread -- "I
    wanna be the first to know so I can try to protect my sites" -- is not
    going to fly.

    On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
    All what I meant is all developers in the community would like to
    have at least a clue about what security issues are discovered.
    http://drupal.org/security
    And deal with them on temporary basis on they own sites until final
    solution will be published.
    I'm not talking about detail explanation of what and how reported
    security issue can harm Drupal site. But may be some clue in order to
    deal with it.
    Again, the only way to give a "clue in order to deal with it" is to
    "give a clue how to exploit it". I'm sure the hackers reading that
    information will be much better suited to act on these clues than the
    average site admins who aren't well versed in security exploits.
    Or may be we need some special procedure to subscribe to such
    information.
    Any "special procedure to subscribe to such information" that scales
    to a group of people larger than the security team can't possibly keep
    the "bad" people out and only let in "good" people. It's already a
    risk we take letting new forces join the security team itself. No way
    could we have any reasonable hope of keeping the "initial clue about
    possible vulnerabilities" list secure. Malicious users *will* read
    that information, and use it to harm Drupal sites.
    But I'm sure that many of us would like to know what is going on with
    fresh security discoveries.

    Indeed, especially hackers. ;) Drupal follows a long established
    policy of "Responsible disclosure"[1] of discovered vulnerabilities.
    Nothing about this contradicts the GPL or the openness of the Drupal
    community in general. In fact, if we did what you suggest, I'm sure
    far fewer people would be using Drupal (rightfully so).

    Cheers,
    -Derek (dww)

    [1] http://www.sans.org/reading_room/whitepapers/threats/932.php

  • Derek Wright at Oct 1, 2008 at 11:00 am

    On Oct 1, 2008, at 3:37 AM, Web Developer wrote:

    It is just sad that the only thing you see in my notes is intention
    to get this kind of information at soon as possible.
    It is just sad that you're not paying attention to what we're
    saying. Another reason you probably wouldn't be a good fit for the
    security team. ;)

    I explicitly wrote:
    If you said "I'm really interested in security and want to help
    fix vulnerabilities, here are my skills I'm bringing to the table,
    references that prove [sic] I'm not malicious, etc", we'd strongly
    consider it.
    You *never* said *anything* like that in this entire thread. All
    you've said can be summarized with these 3 quotes:

    1) "I thought that Drupal is an open community of open source
    developers working under GPL license.
    Does it mean that ALL issues have to be openly reported to all
    community for everybody to review?
    Don't you all think that handling security issues behind closed doors
    until a fix and advisory will be sent out is sound more like
    corporate way of thinking on a way to develop something proprietary?"

    2) "All what I meant is all developers in the community would like to
    have at least a clue about what security issues are discovered. And
    deal with them on temporary basis on they own sites until final
    solution will be published."

    3) "Okay, what is procedure then in order to join security forces
    here? If that is the only way to get information necessary to get the
    picture about latest security issues."

    Many of us have tried to point out the weaknesses in the logic of #1
    and #2, and tried to explain why #3 is not a sufficient reason to
    join the security team. You've just kept coming back saying that the
    security team is closed (true), corporate (false), and that no one is
    reading between the lines of your messages that what you *really*
    mean is "I'd love to help fix vulnerabilities because I'm a security
    expert and I have an established track record of closing exploits
    through careful audits, thorough testing, and responsible
    disclosure." Please.

    I'm glad you raised your concern (we are an open development
    community, and discussing concerns like this is part of that), but
    the overwhelming response has been: "NO, that'd be crazy, we prefer a
    closed security team and responsible disclosure". It's ok to be
    outvoted, just be honest and graceful about it and no one will think
    poorly of you...

    -Derek (dww)
  • Mikkel Høgh at Oct 1, 2008 at 12:42 pm

    On 01/10/2008, at 13.00, Derek Wright wrote:
    I'm glad you raised your concern (we are an open development
    community, and discussing concerns like this is part of that), but
    the overwhelming response has been: "NO, that'd be crazy, we prefer
    a closed security team and responsible disclosure".
    I'd just like to say that Derek is completely and absolutely right
    here. Responsible disclosure is the only way we can reasonably handle
    security vulnerabilities, and were it not for that policy, I would not
    be using Drupal for anything remotely important, because the chance of
    some guy being quicker than me and hitting me with a zero-day exploit
    would be unreasonably high.

    So while you might disagree, I think the great majority of Drupal
    developers are quite happy about this policy, and I don't think it'll
    change in the near future.

    --
    Kind regards,

    Mikkel H?gh <mikkel at hoegh.org>
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/pkcs7-signature
    Size: 1929 bytes
    Desc: not available
    Url : http://lists.drupal.org/pipermail/development/attachments/20081001/36821543/attachment.bin
  • Web Developer at Oct 1, 2008 at 1:49 pm
    If more of Drupal community members will know about newest
    vulnerabilities, then faster these vulnerabilities will be resolved.
    As I have mention in my previous message - it is not necessary to expose
    exploit info.
    Some might say that hacker will then make more damage. Well let me
    inform you - hacker can exploit problems on your server on they own even
    without any problem description.
    You can be your own "hacker" by simply evaluating your web applications
    and web sites with many vulnerabilities assessment and testing tools
    available on a market (many of them is open source).
    The only issue here that I see is security team is not trust to Drupal
    community own members.
    May be some solution is possible here like a member certification
    program. Which can be considered as transitional from "non-trusted"
    (simple Drupal user) to trusted developer who can help in his spare time
    without be under pressure of security team bosses.

    Alex


    Mikkel H?gh wrote:
    On 01/10/2008, at 13.00, Derek Wright wrote:
    I'm glad you raised your concern (we are an open development
    community, and discussing concerns like this is part of that), but
    the overwhelming response has been: "NO, that'd be crazy, we prefer a
    closed security team and responsible disclosure".
    I'd just like to say that Derek is completely and absolutely right
    here. Responsible disclosure is the only way we can reasonably handle
    security vulnerabilities, and were it not for that policy, I would not
    be using Drupal for anything remotely important, because the chance of
    some guy being quicker than me and hitting me with a zero-day exploit
    would be unreasonably high.

    So while you might disagree, I think the great majority of Drupal
    developers are quite happy about this policy, and I don't think it'll
    change in the near future.

    --
    Kind regards,

    Mikkel H?gh <mikkel at hoegh.org>
  • Nathaniel Catchpole at Oct 1, 2008 at 1:55 pm

    On Wed, Oct 1, 2008 at 2:49 PM, Web Developer wrote:

    trusted developer who can help in his spare time

    This describes al members of the security team


    under pressure of security team bosses.

    This doesn't describe any members of the security team.
    Nat
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/fda83475/attachment-0001.htm
  • Web Developer at Oct 1, 2008 at 1:19 pm
    If you think that oldest BugTraq "full disclosure" listing has a weak
    logic behind, then you are mistaken (http://www.securityfocus.com).
    BugTraq as well expose vulnerabilities that does not have solutions yet.
    All what I have tried to explain that it does not mean that exploit
    information has to be exposed. But detail description of the problem can
    help on its own even before solution come out.
    For me as for open source developer it is kind of natural to associate
    limited disclosure or after solution disclosure with corporations like a
    Microsoft and such but not with open source community.
    Another good reason well explained on
    <http://en.wikipedia.org/wiki/Vulnerability_(computer_science)>:
    "Analysis and risk rating ensure the quality of the disclosed
    information. The analysis must include enough details to allow a
    concerned user of the software to assess his individual risk or take
    immediate action to protect his assets."
    Which is, btw, is very well mentioned in NIST Special Publication 800-51
    "Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability
    Naming Scheme"
    <http://csrc.nist.gov/publications/nistpubs/800-51/sp800-51.pdf>.

    If Drupal security team made a decision to follow another path, its okay.
    But you should not judge another people in this matter so quick.
    Anyway, I have tried to be polite but since I have receive such a
    suspicious in bad intentions and arrogant perception here (at least that
    is what I feel now), I think I will standout for now in my true
    intentions to help and let you enjoy status of "overworked and
    understaffed" security team.

    Alex


    Derek Wright wrote:
    On Oct 1, 2008, at 3:37 AM, Web Developer wrote:

    It is just sad that the only thing you see in my notes is intention
    to get this kind of information at soon as possible.
    It is just sad that you're not paying attention to what we're saying.
    Another reason you probably wouldn't be a good fit for the security
    team. ;)

    I explicitly wrote:
    If you said "I'm really interested in security and want to help fix
    vulnerabilities, here are my skills I'm bringing to the table,
    references that prove [sic] I'm not malicious, etc", we'd strongly
    consider it.
    You *never* said *anything* like that in this entire thread. All
    you've said can be summarized with these 3 quotes:

    1) "I thought that Drupal is an open community of open source
    developers working under GPL license.
    Does it mean that ALL issues have to be openly reported to all
    community for everybody to review?
    Don't you all think that handling security issues behind closed doors
    until a fix and advisory will be sent out is sound more like corporate
    way of thinking on a way to develop something proprietary?"

    2) "All what I meant is all developers in the community would like to
    have at least a clue about what security issues are discovered. And
    deal with them on temporary basis on they own sites until final
    solution will be published."

    3) "Okay, what is procedure then in order to join security forces
    here? If that is the only way to get information necessary to get the
    picture about latest security issues."

    Many of us have tried to point out the weaknesses in the logic of #1
    and #2, and tried to explain why #3 is not a sufficient reason to join
    the security team. You've just kept coming back saying that the
    security team is closed (true), corporate (false), and that no one is
    reading between the lines of your messages that what you *really* mean
    is "I'd love to help fix vulnerabilities because I'm a security expert
    and I have an established track record of closing exploits through
    careful audits, thorough testing, and responsible disclosure." Please.

    I'm glad you raised your concern (we are an open development
    community, and discussing concerns like this is part of that), but the
    overwhelming response has been: "NO, that'd be crazy, we prefer a
    closed security team and responsible disclosure". It's ok to be
    outvoted, just be honest and graceful about it and no one will think
    poorly of you...

    -Derek (dww)

  • Patrick Teglia at Oct 1, 2008 at 1:51 pm
    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.

    I am sorry, but even a guy with a Security+ certification (in other words,
    me :) ) can see the flawed logic in this statement. A detailed description
    of the problem is a description of the vulnerability that attackers would
    EXACTLY be looking for.

    Patrick Teglia

    On Wed, Oct 1, 2008 at 7:19 AM, Web Developer wrote:

    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20081001/bf3036d9/attachment.htm
  • Web Developer at Oct 1, 2008 at 2:08 pm
    Is it everybody here so quick to see another person logic flaw, where in
    fact you just have to think a little further?

    I did not suggest that you have to give such detail description that
    will expose exploit right away.
    But I'm sure in most cases experienced developer/tester can come up with
    explanatory description without exposing too much.
    I agree that some problem could be so obvious so any explanation will
    expose exploit info. Okay, but it is only one case.
    There are many problems that are not so obvious.

    Alex


    Patrick Teglia wrote:
    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.

    I am sorry, but even a guy with a Security+ certification (in other words,
    me :) ) can see the flawed logic in this statement. A detailed description
    of the problem is a description of the vulnerability that attackers would
    EXACTLY be looking for.

    Patrick Teglia


    On Wed, Oct 1, 2008 at 7:19 AM, Web Developer wrote:

    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.
  • Eric Goldhagen at Oct 1, 2008 at 2:21 pm
    I think that the process currently in place has proven itself over time to
    be reliable and accountable to the community.

    There are very few restrictions in place that would prevent a member of
    the Drupal community from joining the security team, but I am glad that
    there is a vetting process that ensures that the skills and motivation of
    the security team members is in-line with the goals of that team and the
    community-at-large.

    The security review and resolution process at drupal is one of the things
    that has allowed my company to use drupal as a part of systems that handle
    ePHI (electronic protected health information) which have been
    successfully audited as HIPAA (Health Insurance Portability and
    Accountability Act) compliant.

    --Eric
    On Wed, October 1, 2008 10:08 am, Web Developer wrote:
    Is it everybody here so quick to see another person logic flaw, where in
    fact you just have to think a little further?
    I did not suggest that you have to give such detail description that
    will expose exploit right away.
    But I'm sure in most cases experienced developer/tester can come up with
    explanatory description without exposing too much.
    I agree that some problem could be so obvious so any explanation will
    expose exploit info. Okay, but it is only one case.
    There are many problems that are not so obvious.

    Alex


    Patrick Teglia wrote:
    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution
    come
    out.
    I am sorry, but even a guy with a Security+ certification (in other words,
    me :) ) can see the flawed logic in this statement. A detailed
    description
    of the problem is a description of the vulnerability that attackers would
    EXACTLY be looking for.
    Patrick Teglia
    On Wed, Oct 1, 2008 at 7:19 AM, Web Developer wrote:
    it does not mean that exploit information has to be exposed. But
    detail
    description of the problem can help on its own even before solution come
    out.
  • Daniel F. Kudwien at Oct 1, 2008 at 3:37 pm

    Back to topic:

    The security review and resolution process at drupal is one
    of the things that has allowed my company to use drupal as a
    part of systems that handle ePHI (electronic protected health
    information) which have been successfully audited as HIPAA
    (Health Insurance Portability and Accountability Act) compliant.

    --Eric
    This sounds like a handbook page about certifications, policies, and
    auditions of Drupal is in order? Maybe we can add
    consultants/agencies/shops who managed to achieve or approve them for each
    entry as a reference. That list might also contain revoked attempts, and
    would fit best in the "About Drupal" handbook, of course.

    Cross-posting this to consulting list.

    Daniel
  • Eric Goldhagen at Oct 1, 2008 at 3:52 pm

    On Wed, October 1, 2008 11:37 am, Daniel F. Kudwien wrote:
    Back to topic:
    The security review and resolution process at drupal is one
    of the things that has allowed my company to use drupal as a
    part of systems that handle ePHI (electronic protected health
    information) which have been successfully audited as HIPAA
    (Health Insurance Portability and Accountability Act) compliant. --Eric
    This sounds like a handbook page about certifications, policies, and
    auditions of Drupal is in order? Maybe we can add
    consultants/agencies/shops who managed to achieve or approve them for each
    entry as a reference. That list might also contain revoked attempts, and
    would fit best in the "About Drupal" handbook, of course.

    Cross-posting this to consulting list.

    Daniel
    I'd like to make sure that this discussion happens in one place so it can
    be easier to follow. In the future, it would be nice to be asked before a
    part of my email is send with no context to another list.

    here is what I posted to the consulting list:

    I would be glad to participate a discussion about your idea, but let me
    start by saying that I'm not comfortable with one paragraph of an email
    from me that was part of a lengthy discussion about durpal security issues
    crossposted without any additional context.

    For those not on the development list, you can read the thread at
    http://lists.drupal.org/pipermail/development/2008-October/031097.html to
    put my statement in full context of the larger discussion.

    --Eric
  • Damien Tournoud at Oct 1, 2008 at 2:31 pm

    On Wed, Oct 1, 2008 at 4:08 PM, Web Developer wrote:
    I did not suggest that you have to give such detail description that will expose exploit right away.
    But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much.
    I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case.
    There are many problems that are not so obvious.
    Our security process can be thought as complying with "responsible
    disclosure", as described for example in the RFPolicy [1]. Close
    cooperation between security researchers and vendors (ie. us, the
    Drupal community) in private before the security vulnerability has
    been disclosed has largely proven to be the good way to deal with this
    kind of issues.

    Our community is open. Discussing issues "inside" the community means
    nothing more than discussing those publicly.

    Damien Tournoud

    [1] http://www.wiretrip.net/rfp/policy.html
  • Matt at Oct 1, 2008 at 2:31 pm
    If you really feel this is the better way to go I'd suggest a change
    of strategy. The current process is not only popular but works well
    and is useful. If there is going to be a change from it to something
    else there needs to be a an obvious benefit that works with the
    cost/time/resources needed to do such a thing.

    Put together a proposed change from the current setup, preform a cost
    benefit analysis on that, and then try to sell the people who can
    affect a change on this in the drupal community. In trying to sell
    them show them the personal benefit to them and the community over the
    current process. (You aren't doing this now and seem to be alienating
    the very people you need to sell this to.)

    If you don't think you can sell them or this seems like too much work
    I'd suggest saving face and backing down on this issue. Otherwise a
    bunch of us have to read emails (or spend time deleting them) in what
    is turning into an unproductive conversation.

    Quoting Web Developer <lapurd at gmail.com>:
    Is it everybody here so quick to see another person logic flaw, where
    in fact you just have to think a little further?

    I did not suggest that you have to give such detail description that
    will expose exploit right away.
    But I'm sure in most cases experienced developer/tester can come up
    with explanatory description without exposing too much.
    I agree that some problem could be so obvious so any explanation will
    expose exploit info. Okay, but it is only one case.
    There are many problems that are not so obvious.

    Alex


    Patrick Teglia wrote:
    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.

    I am sorry, but even a guy with a Security+ certification (in other words,
    me :) ) can see the flawed logic in this statement. A detailed description
    of the problem is a description of the vulnerability that attackers would
    EXACTLY be looking for.

    Patrick Teglia


    On Wed, Oct 1, 2008 at 7:19 AM, Web Developer wrote:

    it does not mean that exploit information has to be exposed. But detail
    description of the problem can help on its own even before solution come
    out.
  • Daniel F. Kudwien at Oct 1, 2008 at 2:41 pm

    All what I have tried to explain that it does not mean that exploit
    information has to be exposed.
    This is what actually happens already: Security team receives a security
    report, does deep analysis of the potential problem, and if the report turns
    out to be valid, the security team aids the corresponding module maintainer
    to fix the vulnerability. The exploit information is made public when a fix
    for all users is available.
    "Analysis and risk rating ensure the quality of the disclosed
    information. The analysis must include enough details to allow a
    concerned user of the software to assess his individual risk or take
    immediate action to protect his assets."
    This, too, is what happens: All subscribers of the security announcements
    newsletter receive a mail for each and every fixed vulnerability throughout
    Drupal core AND contributed modules.
    If Drupal security team made a decision to follow another
    path, its okay.
    But you should not judge another people in this matter so quick.
    Anyway, I have tried to be polite but since I have receive such a
    suspicious in bad intentions and arrogant perception here (at
    least that
    is what I feel now), I think I will standout for now in my true
    intentions to help and let you enjoy status of "overworked and
    understaffed" security team.

    Alex
    Look, I do not belong to the security team either (albeit I considered to
    join for helping out already). However, I /feel/ very safe knowing that we
    have top-notch contributors in this team, doing an excellent job on
    reviewing and solving all security issues. To be honest, I would not like
    to see an arbitrary "Web Developer" (ex. "Drupal Developer") there either.
    As a regular Drupal contributor and user, I know the contributions of /each/
    security team member, which makes me believe that they are experts in all
    Drupal areas - and friends I can trust.

    I would recommend you to contribute more to Drupal, get some kudos for your
    valuable contributions, and then ask again.

    Thanks,
    Daniel
  • Michael Prasuhn at Oct 1, 2008 at 8:06 am
    http://drupal.org/security-team#report-issue

    It's on the top of every "Submit Issue" page on drupal.org.

    Any code that is in an official release of Drupal is 100% open.
    Nothing in the GPL prevents the bug fixes *prior* to release from
    being performed in a non-public manner.

    -Mike
    On Oct 1, 2008, at 12:40 AM, Drupal Developer wrote:

    Wow, I would like everybody to notice something right here.

    In the message I reply to, Matt Farina said:

    "The security team handles things in a tight way. When something is
    reported it's not opened up to the world. If the issue is valid it's
    handled behind closed doors until a fix and advisory is sent out." /
    end of citation/

    I thought that Drupal is an open community of open source developers
    working under GPL license.
    Does it mean that ALL issues have to be openly reported to all
    community for everybody to review?
    Don't you all think that handling security issues behind closed
    doors until a fix and advisory will be sent out is sound more like
    corporate way of thinking on a way to develop something proprietary?

    I'm very concern about that and invite everybody to collaborate on
    this one.

    Does Matt represent a real situation at this matter in Drupal
    development community?
    If not, then I'm sure that many people would like to know exactly
    what the process is for handling security issues from the moment
    they have been reported?
    __________________
    Michael Prasuhn
    mike at mikeyp.net
    http://mikeyp.net
  • Michael Favia at Oct 1, 2008 at 2:51 pm

    Drupal Developer wrote:
    Wow, I would like everybody to notice something right here.
    Please stop feeding the troll. Those of us who pay attention all
    understand and agree with the existing security infrastructure and
    appreciate the hardwork and thankless job that is managing exploits in a
    timely fashion. There isn't a debate to be found here, only a waste of
    time.
    --
    Michael Favia
  • Khalid Baheyeldin at Sep 30, 2008 at 3:32 pm

    On Tue, Sep 30, 2008 at 11:14 AM, Jon Saints wrote:

    On a recent project for the US government, half way through the development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use in
    government projects that house personal information due to security
    concerns.
    Hello Jon

    Apart from the "100+ since 4.0" mentioned below, what else did they
    criticize?

    If there is a report that they issued, you can share it with the security
    team for a review.

    Email it to security at drupal.org.

    Because our project had been approved by higher ups within the department,
    we were paid for our work up to that point and asked to stop. Now, its up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could not
    be used. We noted that all these disclosures where quickly addressed, but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down the
    road from me. I could go investigate further.

    Thanks
    Jon


    --
    Khalid M. Baheyeldin
    2bits.com, Inc.
    http://2bits.com
    Drupal optimization, development, customization and consulting.
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/ebead3e1/attachment-0001.htm
  • Chuck D'Antonio at Sep 30, 2008 at 3:34 pm
    Jon,

    I've used Open Source and on government projects before, primarily on
    the defense side -- I'm not sure if this was a civilian or defense
    project. I know that in my previous company, we even needed our
    commercial software certified, and it was a pretty lengthy process to
    get it completed based on the updates I heard of the course of several
    months. Unfortunately, I was only peripherally involved so I don't
    have many details of the process.

    I do know from some folks I've talked to quite recently that multiple
    agencies in the Defense Department are using Drupal -- though
    primarily for non-classified work. There is an arduous process to get
    your software cleared for deployment on the classified networks and it
    typically involves not only the software itself, but lots of
    bureaucratic questions about how it's created.

    Chuck

    Chuck D'Antonio
    Sr. Director Professional Services
    Acquia, Inc.
    Mobile +1.617.388.1120

    On Sep 30, 2008, at 11:14 AM, Jon Saints wrote:

    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.

    Because our project had been approved by higher ups within the
    department, we were paid for our work up to that point and asked to
    stop. Now, its up to the tax payers to foot a much larger bill for
    other developers to implement a proprietary and more "secure" (or
    secretive) solution.

    The "transparency" of the Drupal project was one of the government's
    big objections. In their eyes, disclosing and fixing securit holes
    in a timely manner, is not the same thing as security. They pointed
    out the 100+ security disclosures since drupal 4.0 as a reason that
    the system could not be used. We noted that all these disclosures
    where quickly addressed, but that did not seem to matter.

    I notice other governments around the world are using Drupal with
    great success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification
    further, let me know. NIST, the department that certifies software,
    is just down the road from me. I could go investigate further.

    Thanks
    Jon



    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/a106d1bc/attachment-0001.htm
  • Gerhard Killesreiter at Sep 30, 2008 at 3:35 pm

    Jon Saints schrieb:

    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.
    Just out of interest: What kind of information are we talking about?
    Tax numbers, bank accounts?

    [...]
    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal
    Seems like a showcase site only.

    Cheers,
    Gerhard
  • Jon Saints at Sep 30, 2008 at 3:40 pm
    The names of Citizens are collected on the website along with some personal
    contact information. We were told that our application required the Medium
    level security certification.

    For collecting more sensitive information, certification becomes nearly
    impossible.

    Thanks
    Jon
    On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jon Saints schrieb:
    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.
    Just out of interest: What kind of information are we talking about?
    Tax numbers, bank accounts?

    [...]
    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal
    Seems like a showcase site only.

    Cheers,
    Gerhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
    BX1vLaioeWG348yH/V/ufKs=
    =yFhK
    -----END PGP SIGNATURE-----
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/4bebd234/attachment.htm
  • Steven Peck at Sep 30, 2008 at 4:06 pm
    Which government security review/standard?

    There are dozens if not hundreds of competing standards/programs and
    levels of auditing and determination depending on which department you
    are dealing with. For example just one program was formerly known as
    DITSCAP and is now DIACAP.

    Many of these have more to do with procedures and policies then code.

    Steven
    On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints wrote:
    The names of Citizens are collected on the website along with some personal
    contact information. We were told that our application required the Medium
    level security certification.

    For collecting more sensitive information, certification becomes nearly
    impossible.

    Thanks
    Jon

    On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
    wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jon Saints schrieb:
    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.
    Just out of interest: What kind of information are we talking about?
    Tax numbers, bank accounts?

    [...]
    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal
    Seems like a showcase site only.

    Cheers,
    Gerhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
    BX1vLaioeWG348yH/V/ufKs=
    =yFhK
    -----END PGP SIGNATURE-----
  • Bryan Ruby at Oct 1, 2008 at 2:47 am
    I've read all the messages in this thread, but I want to build on what
    Steven has to say here. Please allow one disclaimer so I don't get
    myself in trouble. Although I work for the federal government, I do not
    speak for the federal government nor from my position in the federal
    government. I'm simply a Drupal fan.

    Steven is right about the number of competing standards/programs and
    levels of reviews/audits/and certification that go on in the federal
    government. In many of the cases with FISMA (one of the standards Joe
    links to in his first message), the certification that takes place in
    most agencies are for systems and not in particular a single application
    such as Drupal. In many respects this is a bottom-up certification
    where each person in the chain certifies to their supervisor that a
    system follows agency rules, guidelines and federal laws in making sure
    the system is secure, properly patched, and all risks have been
    identified/minimized. It is a very difficult and laborious process in
    trying to policy put into practice.

    My agency utilizes a mix of Unix, Linux, and Windows systems. On our
    administrative PCs we run a mix of propriety and open source software
    (we've used Thunderbird as our official email client for years). On our
    operational systems all our applications and OS are open source or built
    in-house applications (utilizing Java, Tcl, Python, and variations of
    C). Federal agencies can and do adopt open source for their
    applications. In fact, I've seen the certification process knock out
    more propriety systems than open source systems especially if they're
    aging systems with little in the way of user access control granted.
    Every year, I have to have one necessary propriety system given an
    exception since it doesn't quite meet the requirements...and this system
    can't even be networked into the office LAN.

    Here is my guess as to why Drupal wasn't accepted, without getting deep
    into the policy. As I said at the start, from the system owner all the
    way up through the agency's management up to the CIO...EVERYONE has to
    certify that the system is secure and risks have been
    identified/minimized. This is especially true when it comes to
    personally identifiable information (PII) and/or if the system is
    outside the firewall. In order for all those people to sign on to the
    certification, they each have to have an understanding of the system.
    My guess is that someone was not comfortable with their own
    understanding of Drupal or open source to know whether the system would
    meet all the requirements (especially if they're racing to complete
    budgets/certifications during the final hours of the fiscal year. The
    fact is some agencies or managers in those agencies just don't have an
    understanding of the open source model and are very cautious in moving
    away from what they know. Eventually, we'll have to educate them.

    Joe, what strikes me as odd though is that before a project is approved
    these days the security requirements are understood. It sounds to me as
    if someone on the federal side didn't do their job in working with and
    informing the IT Security Officer about what this project was all
    about. Very interesting and I hope it never happens to me.

    BryanSD

    Steven Peck wrote:
    Which government security review/standard?

    There are dozens if not hundreds of competing standards/programs and
    levels of auditing and determination depending on which department you
    are dealing with. For example just one program was formerly known as
    DITSCAP and is now DIACAP.

    Many of these have more to do with procedures and policies then code.

    Steven
    On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints wrote:

    The names of Citizens are collected on the website along with some personal
    contact information. We were told that our application required the Medium
    level security certification.

    For collecting more sensitive information, certification becomes nearly
    impossible.

    Thanks
    Jon

    On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
    wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jon Saints schrieb:

    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.
    Just out of interest: What kind of information are we talking about?
    Tax numbers, bank accounts?

    [...]

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal
    Seems like a showcase site only.

    Cheers,
    Gerhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
    BX1vLaioeWG348yH/V/ufKs=
    =yFhK
    -----END PGP SIGNATURE-----
  • Jon Saints at Oct 1, 2008 at 5:27 am
    Thanks for all the informative comments. The discussion has been most
    helpful.

    Its does appear that our case was the result of a decision of an individual
    (who maybe is not familiar with Drupal), and not a sign of general
    opposition by the government to Open Source software.

    That is good to know.

    Reading through NIST's documentation it seems that certification for
    software to meet the FISMA standards usually takes years. As others have
    pointed out, this is just one of many different standards that the
    government has for software. Its unclear to me where we could even start to
    certify Drupal for government use.

    The lesson here... approval of open source tools seems to happen on a case
    by case and department by department basis. Even if your project is
    approved by a Department heads, ask for a review of the proposal by the
    Security Officer in charge before work begins. In our case, I am not sure
    why that did not happen until half way through the project. We are just
    learning to work for the government. So this is a lesson we will take
    carefully into all our work from here on.

    I have contacted NIST to see if I could sit down and chat with someone to
    bring up some of our questions posted in this thread. If I do get a
    conversation, I will be sure to post the comments back to the group here. I
    have also asked them for alist of the approved content management systems so
    we can get an idea of which companies/projects have achieved certification.

    Thanks
    Jon
    On Tue, Sep 30, 2008 at 8:47 PM, Bryan Ruby wrote:

    I've read all the messages in this thread, but I want to build on what
    Steven has to say here. Please allow one disclaimer so I don't get myself
    in trouble. Although I work for the federal government, I do not speak for
    the federal government nor from my position in the federal government. I'm
    simply a Drupal fan.

    Steven is right about the number of competing standards/programs and levels
    of reviews/audits/and certification that go on in the federal government.
    In many of the cases with FISMA (one of the standards Joe links to in his
    first message), the certification that takes place in most agencies are for
    systems and not in particular a single application such as Drupal. In many
    respects this is a bottom-up certification where each person in the chain
    certifies to their supervisor that a system follows agency rules, guidelines
    and federal laws in making sure the system is secure, properly patched, and
    all risks have been identified/minimized. It is a very difficult and
    laborious process in trying to policy put into practice.

    My agency utilizes a mix of Unix, Linux, and Windows systems. On our
    administrative PCs we run a mix of propriety and open source software (we've
    used Thunderbird as our official email client for years). On our
    operational systems all our applications and OS are open source or built
    in-house applications (utilizing Java, Tcl, Python, and variations of C).
    Federal agencies can and do adopt open source for their applications. In
    fact, I've seen the certification process knock out more propriety systems
    than open source systems especially if they're aging systems with little in
    the way of user access control granted. Every year, I have to have one
    necessary propriety system given an exception since it doesn't quite meet
    the requirements...and this system can't even be networked into the office
    LAN.

    Here is my guess as to why Drupal wasn't accepted, without getting deep
    into the policy. As I said at the start, from the system owner all the way
    up through the agency's management up to the CIO...EVERYONE has to certify
    that the system is secure and risks have been identified/minimized. This is
    especially true when it comes to personally identifiable information (PII)
    and/or if the system is outside the firewall. In order for all those people
    to sign on to the certification, they each have to have an understanding of
    the system. My guess is that someone was not comfortable with their own
    understanding of Drupal or open source to know whether the system would meet
    all the requirements (especially if they're racing to complete
    budgets/certifications during the final hours of the fiscal year. The fact
    is some agencies or managers in those agencies just don't have an
    understanding of the open source model and are very cautious in moving away
    from what they know. Eventually, we'll have to educate them.

    Joe, what strikes me as odd though is that before a project is approved
    these days the security requirements are understood. It sounds to me as if
    someone on the federal side didn't do their job in working with and
    informing the IT Security Officer about what this project was all about.
    Very interesting and I hope it never happens to me.

    BryanSD


    Steven Peck wrote:
    Which government security review/standard?

    There are dozens if not hundreds of competing standards/programs and
    levels of auditing and determination depending on which department you
    are dealing with. For example just one program was formerly known as
    DITSCAP and is now DIACAP.

    Many of these have more to do with procedures and policies then code.

    Steven

    On Tue, Sep 30, 2008 at 8:40 AM, Jon Saints wrote:

    The names of Citizens are collected on the website along with some
    personal
    contact information. We were told that our application required the
    Medium
    level security certification.

    For collecting more sensitive information, certification becomes nearly
    impossible.

    Thanks
    Jon

    On Tue, Sep 30, 2008 at 9:35 AM, Gerhard Killesreiter
    wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jon Saints schrieb:


    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.
    Just out of interest: What kind of information are we talking about?
    Tax numbers, bank accounts?

    [...]


    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal
    Seems like a showcase site only.

    Cheers,
    Gerhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFI4kdWfg6TFvELooQRArp1AKCdXFYZDMztJ7wrhhiOJOFG4q3/lACfbsXK
    BX1vLaioeWG348yH/V/ufKs=
    =yFhK
    -----END PGP SIGNATURE-----

    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/1f9a91d6/attachment.htm
  • Nancy Wichmann at Sep 30, 2008 at 6:14 pm
    Every government department for which I worked also used Windows ? how many
    security holes in that have been fixed in just this year, let alone the last
    several? So much for proprietary products being secure


    Many of the projects on which I worked also used open source products ?
    including for a large department that is involved every time you travel by
    air.

    On that same project, I was responsible for QA ? but it was not my only job.
    The agency had 18 people on their QA staff (don't ask me why) and every one
    of those people felt that they HAD to find something to write up. After a
    half dozen iterations, the company I worked for (a very large services
    organization) had to tell their management to stop that nonsense.

    The agency's management can get around virtually any policy if they want.
    However, I never found an agency that cared about the taxpayer's money ?
    even though they are also taxpayers.

    I would encourage you to visit with NIST. My guess is that there is a
    simple misunderstanding, quite possibly arising from not having to pay for
    open source products (they can, however, make a donation if they really want
    to spend money).


    Nancy E. Wichmann, PMP
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/f2cb6cdb/attachment.htm
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: multipart/alternative
    Size: 0 bytes
    Desc: not available
    Url : http://lists.drupal.org/pipermail/development/attachments/20080930/f2cb6cdb/attachment.bin
    -------------- next part --------------

    Internal Virus Database is out of date.
    Checked by AVG - http://www.avg.com
    Version: 8.0.169 / Virus Database: 270.7.0/1685 - Release Date: 9/22/2008 4:08 PM
  • Chris Johnson at Sep 30, 2008 at 8:10 pm
    I think the agency in question just didn't get the memo. The U.S.
    Government, including the Department of Defense, is using open source
    software in a big way. See the following links:

    * http://www.gcn.com/blogs/tech/47100.html

    -- Quote from the above link:

    ''It's worth noting, though, that the House Armed Forces Committee addresses
    the matter.

    "The committee acknowledges the availability of proprietary software and
    encourages its development and acquisition as necessary and appropriate. The
    committee believes, however, the widespread implementation of an OSS
    standard will not only lead to more secure software, but will also foster
    broader competition by minimizing traditional constraints imposed by an
    overreliance on proprietary software systems," it stated.''


    * http://www.terrybollinger.com/dodfoss/dodfoss_html/index.html

    -- A 2003 report by Terry Bollinger of The Mitre Corp. on the use of FOSS in
    the U.S. Dept. of Defense.


    The Dept. of Defense is likely the single largest spender in the Drupal
    market; it's just behind the scenes.

    According to the same database referred to above, Windows had 694 security
    holes in the last 3 years -- considerably more than Drupal over the same
    period.

    On Tue, Sep 30, 2008 at 1:14 PM, Nancy Wichmann wrote:

    Every government department for which I worked also used Windows ? how
    many security holes in that have been fixed in just this year, let alone the
    last several? So much for proprietary products being secure?
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/501b65de/attachment-0001.htm
  • Nancy Wichmann at Sep 30, 2008 at 8:37 pm

    Chris Johnson wrote:
    The Dept. of Defense is likely the single largest spender in the Drupal
    market;

    Just think if the DOD contributed 1% of 1% of its budget to OSS, the market
    would be booming with products.

    Nancy E. Wichmann, PMP




    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/fdfb84fc/attachment.htm
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: multipart/alternative
    Size: 0 bytes
    Desc: not available
    Url : http://lists.drupal.org/pipermail/development/attachments/20080930/fdfb84fc/attachment.bin
    -------------- next part --------------

    Internal Virus Database is out of date.
    Checked by AVG - http://www.avg.com
    Version: 8.0.169 / Virus Database: 270.7.0/1685 - Release Date: 9/22/2008 4:08 PM
  • Laura Scott at Sep 30, 2008 at 8:55 pm
    Consider that one big difference between proprietary and open source
    is lobbying and existing contract relationships. Chris DiBona I
    believe spoke about how a defense contractor tried to get OSS banned
    from military systems, but after an internal audit of such systems
    revealed that a huge % of such systems (30%? More? I confess I don't
    recall) depended upon OSS, the DOD rejected the proposal.

    There is more to this than simple perceptions about FOSS.

    Laura

    On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:

    On a recent project for the US government, half way through the
    development process, our work was stopped by a government security
    review which said that Drupal (and open source software in general)
    is not suitable for use in government projects that house personal
    information due to security concerns.

    Because our project had been approved by higher ups within the
    department, we were paid for our work up to that point and asked to
    stop. Now, its up to the tax payers to foot a much larger bill for
    other developers to implement a proprietary and more "secure" (or
    secretive) solution.

    The "transparency" of the Drupal project was one of the government's
    big objections. In their eyes, disclosing and fixing securit holes
    in a timely manner, is not the same thing as security. They pointed
    out the 100+ security disclosures since drupal 4.0 as a reason that
    the system could not be used. We noted that all these disclosures
    where quickly addressed, but that did not seem to matter.

    I notice other governments around the world are using Drupal with
    great success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification
    further, let me know. NIST, the department that certifies software,
    is just down the road from me. I could go investigate further.

    Thanks
    Jon
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/2bdc1660/attachment.htm
  • Chris Johnson at Sep 30, 2008 at 9:30 pm
    Indeed. In the article I provided the first link to, there is also this
    quote:

    "Not everyone has been pleased with how the bill calls out open-source
    software by name, though. Analysts at the Business Software Alliance met
    with members of the committee to voice their concern that the bill
    unfavorably offers open-source software products an unfair competitive
    advantage over other commercial software, according to a BSA spokesperson
    who declined to be named."

    I think we all know who the BSA is, and who they represent. Clearly the
    proprietary software vendors are upset and lobbying against FOSS.

    On Tue, Sep 30, 2008 at 3:55 PM, Laura Scott wrote:

    Consider that one big difference between proprietary and open source is
    lobbying and existing contract relationships. Chris DiBona I believe spoke
    about how a defense contractor tried to get OSS banned from military
    systems, but after an internal audit of such systems revealed that a huge %
    of such systems (30%? More? I confess I don't recall) depended upon OSS, the
    DOD rejected the proposal.
    There is more to this than simple perceptions about FOSS.

    Laura


    On Sep 30, 2008, at 9:14 AM, Jon Saints wrote:

    On a recent project for the US government, half way through the development
    process, our work was stopped by a government security review which said
    that Drupal (and open source software in general) is not suitable for use in
    government projects that house personal information due to security
    concerns.

    Because our project had been approved by higher ups within the department,
    we were paid for our work up to that point and asked to stop. Now, its up
    to the tax payers to foot a much larger bill for other developers to
    implement a proprietary and more "secure" (or secretive) solution.

    The "transparency" of the Drupal project was one of the government's big
    objections. In their eyes, disclosing and fixing securit holes in a timely
    manner, is not the same thing as security. They pointed out the 100+
    security disclosures since drupal 4.0 as a reason that the system could not
    be used. We noted that all these disclosures where quickly addressed, but
    that did not seem to matter.

    I notice other governments around the world are using Drupal with great
    success and savings to citizens:
    http://buytaert.net/new-zealand-government-using-drupal

    The standards we would need to meet with drupal are:
    http://csrc.nist.gov/groups/SMA/fisma/index.html

    My questions are the following:
    - Have any other developers run into this cerfication problem before?
    - Is anyone in the drupal community currently working to get Drupal
    certified for use in US Government projects?
    - Does anyone know exactly what cerfication would require from a
    development standpoint?

    If there is interest in investigating this type of certification further,
    let me know. NIST, the department that certifies software, is just down the
    road from me. I could go investigate further.

    Thanks
    Jon

    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.drupal.org/pipermail/development/attachments/20080930/855ffd3a/attachment.htm
  • Dan Robinson at Sep 30, 2008 at 11:02 pm

    I think we all know who the BSA is, and who they represent. Clearly
    the proprietary software vendors are upset and lobbying against FOSS.
    ya think ;)
  • Piermaria Maraziti at Sep 30, 2008 at 11:02 pm

    At 17.14 30/09/2008, you wrote:
    The "transparency" of the Drupal project was one of the government's
    big objections.
    Just as a quick note by a lurker: various organs of the Italian
    government (Finance Ministery but not only) judged the "open" is OS
    projects to be a very good element for the usual reasons addressed by
    OS evangelists, also about security issues. It's a priority, to them,
    also the active participation in community: giving help when they can
    to receive help when they need (yep: most utilitary, not so
    idealistic - but pragmatic and correct).

    Ciao!


    --8<-----------------------------------fnord-----
    Piermaria Maraziti piermaria at maraziti.it KALLISTI
    ICQ744473 MSN:kallisti at hotmail.it +3934735GILDA
    www.gilda.it www.eridia.it www.hovistocose.it

Related Discussions