While I have had the privilege of attending a number of DrupalCons and camps over the years, I cannot remember one with as many sessions and BOFs (birds of a feather) on the topic of security. In addition to the security talk on the program schedule, I had a great time chatting with individuals in the hallways and a few security focused companies in the exhibit hall.
I wasn't able to attend all of the sessions and BOFs mentioned below, but I want to highlight my favorite takeaways from the ones I worked into my schedule.
Simplifying Security: Protecting your Clients and your Company covered some common security myths that will surprise many technical and non-technical alike. Make sure to catch the video of the session.
Watch the Hacker Hack dives into the mind of a hacker and how it isn't like the movies. Spoiler alert: The end results can be just as dire for your website and associated data. The session was interactive with video examples of the hacker(s) in action. I plan to watch this session on video again as it was full of interesting details.
There was also a lively discussion about data encryption techniques and challenges with securely storing encryption and API keys.
Meet with Security Team Members and Ask Security Questions was led by Michael Hess and other members of the Drupal security team. This BOF was a great reminder that there are still so many ways to get involved in the Drupal community. The article How to join the Drupal Security Team has lots of details on getting involved. Even if you don't want to join security team, the last section of the same page, "Improve Drupal's security from outside the team," is pure gold. So many ways to get involved. The BOF attendees asked questions and discussed Drupal security team processes and how the team dealt with Drupageddon and other security incidents.
It is great to see the awareness of security rising in the community as Drupal continues to drive more enterprise websites and applications. I think that all of the Drupal and related hosting infrastructure best practice discussions will help enterprise and non-enterprise install bases. This kind sharing is one of the many things I love about being part of an open source community.
Security-related sessions and BOFs I didn’t attend
- Government Security Frameworks: Where Do I Begin? | Avoid Traffic Jams: The Impact of eCommerce Site Performance on Bottom-Line Results
- Navigating The Website Security Threat Landscape
- BOF-Security and Compliance Challenges and Strategies
The number of sessions and interest in security at Drupalcon confirmed to me that attendees realize security is no longer a checkbox within a list of requirements. Security should be an ongoing part of any software development process, just as we do with UX, digital strategy, content architecture, etc. I am looking forward to taking what I have learned to continue educating our clients and the Drupal community on the importance of protecting websites and applications.