Aug 1 2016

The benefits of the Drupal community and S8080’s maintenance and support

maintenance

 

Drupal is renowned for its flexibility and extensibility, proven by the sheer number of high quality modules available. By using common modules in Drupal deployments, we not only increase functionality quickly and easily, but massively reduce costs whilst benefitting from community security updates. This approach also ensures complete portability for our clients in the future. These are primary reasons why open source solutions are in such high demand.

The Drupal community has an exceptional security team that performs audits and manages the process of communicating their security update findings to module owners.

As an agency of passionate Drupal developers and active Drupal community contributors, every week S8080 get notifications from Drupal on any security releases along with alerts from other specialist tools we use.

These tools monitor all of the Drupal sites that we maintain, to identify all the relevant updates that need to be made to the Drupal core and the modules running on those sites – this ensures nothing is ever missed.

Our ISO/IEC 27001 secure development policies means we have strict protocols in place to ensure our website and online applications are patched quickly and to reduce exposure to any emerging vulnerabilities. When updates need to be made, we prioritise them based on severity and our team will deploy them to the sites that we mange for our clients. Our clients are therefore assured that their Drupal CMS is running the latest and most secure code.

How is Drupal and the modules kept secure?

If you are interested in understanding a bit more on how Drupal’s security team work, then this is a very interesting article: https://www.acquia.com/gb/node/2023186. Their infographic explains the process so well!

Drupal security release infographic

Source: Acquia.com

How does S8080 help the Drupal community keep Drupal secure?

Our Drupal developers are very active in the Drupal development community; it’s common for them to be working on modules and providing updates back to the community. For example, on the 20st April, a commonly used 3rd party module ‘EPSA Crop’ was announced to have a security vulnerability – initially no details were issued to allow the community to react.

This module allows editors to crop the images they upload to their Drupal site, so they don’t have to use third party graphics packages. The owner of this module was no longer available to maintain ESPA Crop, and therefore the central Drupal security team recommended that it should be uninstalled and no longer used. However this would mean that the thousands of sites using the module around the world would suddenly show images uncropped and full-size, causing websites to look terrible – something nobody wants.

This is where s8080 and the Drupal community came into play. We use EPSA Crop to provide an enhancement to the way users manage images in their site, we consider this module to be of importance to us and our clients, so as soon as we were notified of the issue we set about working on a fix for our clients and the whole community.

After quick initial investigations, before the details of the vulnerability were released, we spotted the potential problem and immediately started working on a fix for our Drupal sites and the community as a whole. We deployed the hot fix to the sites that we manage and support to protect them immediately.

Once the official security vulnerability details were released, we were pleased to find that our investigations were correct and we were able to submit our patches / fix to Drupal very early for review by the community. Along with our patches and those of other members of the community, an official fix was released. We then set about the process of updating all of our managed sites with the official fix.

In this particular instance, S8080’s proactive approach to security and our interaction with the Drupal community meant that our managed service clients benefitted from very early protection from potential hacking attempts. And without resorting to making their sites look dreadful by removing the module!

Just as importantly the community and other websites benefited from our work by getting a fix to the module very quickly.

We think this is a great way to work.

Feb 12 2015

How we do agile and lean development projects in our web agency

At S8080 we like to keep things lean and we like to get things done. How exactly do we like to get things done? By sticking to some key principals taken from Prince2 and Agile (why limit yourself to only one project management methodology!)

After the client alignment, UX and creative phase, we’ll have a big kick off session. This ensures that everyone on the team knows the end goal, how it can be achieved and their role in achieving that goal.

User stories and the agile wall

Once all is understood and all questions asked, the team will plan out the project by creating user stories, these are simply cards that contain a specific story, or goal. For example one story may be “As a student, I want to be able to view all books available”. Once all stories have been built up, the team as a whole will estimate how long each story will take to complete.

With all the stories created and work estimated, the team place the cards up onto the Agile wall. Think of the Agile wall as a huge ‘to-do’ list.

As the team work on a story they will pass through several stages from the ‘backlog’ to being ‘accepted / completed’. To ensure this process runs smoothly, the teams will have a quick 5-10 minute stand up in the morning, at these stand ups the team will work though any problems or ‘blockers’ that are stopping them from working.

Iterative approach and sprints

We keep our clients well informed by showcasing our work to date at the end of every iteration / sprint. This is a great opportunity to gather feedback early on in the development process, instead of the big reveal at the end. We couple these showcases with a weekly report, which contains contains a general status, dependencies, risks and any issues.

At the end of each sprint, we will perform a retrospective, this is the opportunity for the team as a whole to suggest how we can make improvements for the next iteration – and usually demolish a pack or two of Welsh cakes.

Because some customers require a fixed scope, time and budget we also provide a Gantt chart, this will contain a detailed list of the functional outputs along with any user testing, security testing, UAT and other dependencies. If there is any additional work to be added to the scope, this is simply dealt with via a change request.

Our key take away points are:

  • Encourage team communication through daily stand ups
  • Encourage team organisation through visible Agile boards
  • Encourage early feedback from the client by introducing end of iteration showcases
  • Encourage team performance with end of iteration retrospectives

Sometimes agencies can get too clogged up in ‘how to do Agile development’ to the letter instead of finding a method that works for them, after all, not all clients, teams and companies are the same.