drupal-security

If you have been looking around for new Drupal contributed modules lately, or just reviewing the release versions and statuses for modules that you are using, you might have noticed a new shield icon at the bottom of the project information section.

Nicknamed the "Drupal Shield of Awesomeness" by some of the leaders of the Drupal community, this small but useful graphic is intended to help people recognize contributed modules that receive a higher level of scrutiny and support by the Drupal security team than others.

drupal-project-module-information

So, who is the Security Team? You can find more information on drupal.org, but in short the Drupal Security Team is a group of highly skilled volunteer developers and software security professionals that identify vulnerabilities in Drupal code and provide fixes.

Their public contributions come in the form of security advisories, which inform the Drupal community of issues with Drupal core and released contributed modules.

There are a lot of Drupal developers, many of whom are actively making contributed modules, so it would be difficult for the Security Team to individually vet each module out there. So the process has evolved to demonstrate to the wider community that contributed modules which have opted to promote their project to a stable release, so no longer alpha, beta, dev, etc. they can and will have their project subjected to more in-depth scrutiny. After passing, it will receive this shield icon to help identify it as a module with the backing of the Drupal Security Team's review.

Review entails a mixture of automated code analysis tests and actual review of the code by a person or persons. Considering the multitude of Drupal modules, this can be a laborious process and is all the more remarkable that the bulk of this work is done by volunteers. If you see a Drupal Security Team member at the next DrupalCon, be sure to say "thank you"!

What does this ultimately mean for the average Drupal user? Well, you can still continue using any of the other contributed modules out there, but you need to recognize that if your website is for official use by a company or organization, and is live and open to the public, you'll want to seriously consider using only modules which have this backing by the Security Team.

To be frank though, it is rarely possible to complete your Drupal website with only stable release modules, it seems like there is always that one feature that you want that needs an obscure module that is still in a "dev" state. You can do this of course, just be sure to follow the modules issue queue and stay informed about ongoing work that it may need.