Your Drupal sites are safe with Warden

It’s no secret that we’re passionate about open source at Deeson. We’ve written before about why we think businesses should pay their developers to work on open source projects and of course we practice what we preach.

Developers at Deeson get paid time to contribute to open source, and are building some really cool stuff as a result.

Open source estate management

In previous posts we introduced you to Warden, our open source solution for managing multiple Drupal websites. Warden provides a central dashboard for reviewing the status of your sites, and highlights those with issues that need resolving.

As an agency, Deeson works with a broad range of clients and each of their websites or platforms has unique hosting requirements. We needed a central place to maintain oversight of the current status of all the sites we manage.

Upon discovering that none of the existing SaaS options did exactly what we needed, we decided to develop our own solution and give it back to the community.

We’re continuing to develop and support Warden, and we’re pleased to say the first stable release (1.0.0) became available at the end of June! A major new feature included in this release is the ability to report on the third party libraries (e.g. JavaScript and PHP) a site is using.

Know which sites need updating

Warden already reports versions of your Drupal modules and this new feature allows you to identify which sites are using which versions of various add-on libraries, including jQuery, Backbone.js, and AngularJS. This means you can discover which sites you will need to update if there are any security announcements for those libraries.

Setting the library versions

As well as the Warden server upgrade, there is a new release of the Drupal Warden module available for both Drupal 7 and 8 to enable the reporting of third party libraries. 

There are multiple ways to add libraries to a Drupal site – you can do it manually, or use composer, drush make, or the Drupal libraries module. For simplicity’s sake we opted for a manual approach to setting the configuration.

In order for your site to report the specific libraries (JavaScript and PHP) that are being used, you will need to manually specify them in the site’s settings.php file.

For further details about how to configure Warden to report on library versions, check out the module’s README file.

Library security announcements

At present, there unfortunately isn’t a central library of all security announcements for JavaScript or PHP libraries, so Warden can’t report on whether or not a current library version has a security issue.

It’s therefore up to the user to be aware of the various libraries your sites are using in order to know if there have been any security announcements for them. The advantage of using Warden is that you have one central place to look.

There are several online databases which detail security announcements for JavaScript and PHP libraries, though these aren’t complete and many libraries aren’t covered.

Here is a list of resources where you can view security advisories:

• Checking your npm dependencies for security vulnerabilities
• cve-search Common Vulnerabilities and Exposures (CVE)
• The Exploit Database (EDB)

In conclusion

Warden allows in-house development teams and agencies to keep track of security releases and version numbers across an estate of Drupal websites stored on different hosting environments, and can save time when managing security rollouts.

The new features in Warden extend to include third party library versions, for which there has never previously been a solid mechanism in place for centrally storing and reporting on.

Are you using Warden successfully? What else does the tool need? Come and let us know on our GitHub issues listing page.

Interested in joining our team? Deeson is hiring!