Security audit

In January 2010, a hacker managed to replace a picture of Spanish Prime minster Zapatero with a picture of Mister Bean on the official EU2010.es website. A PR nightmare, that obviously shouldn't happen again. Krimson was asked to assist in making sure it didn't.

EuTrio.be - the official website for the Belgian Presidency of the Council of the European Union, was built using Drupal by the people at Calibrate.
Although Drupal has very good security measures built in (see the Security Report at http://drupalsecurityreport.org - written by the people at Growing Venture Solutions and sponsored by Krimson), configuration and custom development always bring along extra security risks.

With the Spanish security-disaster in mind the client asked an independent party with excelling Drupal expertise to audit the website for Drupal coding practices, performance optimization and -most important- security. Also, an important part of the job was guiding the development team towards a security-focused delivery.

Our audit consisted of 4 evaluation rounds during the development process, part of every intermediate release. The Krimson krew, with the help from extra external experts like swentel and Ustima, guided the developers and themers by writing intermediate reports pinpointing potential security risks.

Our reports consisted of:

• configuration related issues
• potential pitfalls related to the selected modules and the way they would interact
• custom coding related issues
• theming related issues

We enjoyed working on this security job and believe that with these reports, we helped keeping the EU presidency website safe from harm.