boa icon indicating copy to clipboard operation
boa copied to clipboard

Published 20 hours ago verified publisher icon omega8cc

Does a security report of the BOA Aegir stack exist?

Open Corvalan opened this issue 5 years ago • 3 comments

I am proposing a large network to use the BOA stack, but a comprehensive security assessment is asked which covers the most important security risks.

Does anything like that exist? if so, please share. Thanks!

Corvalan avatar Sep 05 '19 17:09 Corvalan

This is basically very dependent and specific to the hosting environment on the facility/hardware/network level, not just software stack level, which on itself is easy to test and review, so typically the security assessment must be done within specific context, even if in theory one could share the stack or its components (Aegir, Drupal etc) security assessments. From our experience it's organisation specific evaluation and testing. The stack itself comes with all typical clauses in the main scripts headers, like the one below, so obviously you can't get any kind of certified version/assessment of it you could share/quote without context.

###  This program is free software. You can
###  redistribute it and/or modify it under
###  the terms of the GNU GPL as published by
###  the Free Software Foundation, version 2
###  or later.
###
###  This program is distributed in the hope
###  that it will be useful, but WITHOUT ANY
###  WARRANTY; without even the implied
###  warranty of MERCHANTABILITY or FITNESS
###  FOR A PARTICULAR PURPOSE. See the GNU GPL
###  for more details.

omega8cc avatar Sep 05 '19 20:09 omega8cc

Thank you. What recommendations can you give for automatic and instant security updates whenever they are published? I mean for the sites modules hosted in Aegir

Corvalan avatar Sep 06 '19 12:09 Corvalan

Managing Drupal codebase updates is out of BOA scope. BOA manages the environment and Aegir is a tool to manage sites lifecycle but it doesn’t translate to codebase lifecycle. It highly depends on how you manage your codebase updates— with built in Git and Git webhooks or with Composer or with Drush makefiles, depending of the core version. However, Drupal security updates are not only a matter of workflow and tools but also the early access to information about upcoming security releases. This is hard to replicate unless you are a member of Drupal security team. We would recommend to consider managed upgrades with myDropWizard: https://omega8.cc/drupal

Sent with GitHawk

omega8cc avatar Sep 10 '19 01:09 omega8cc