Planet Drupal

This is a listing of Drupal-related articles and weblog entries that are of interest to the larger Drupal community.

Is Drupal Secure? Drupalgeddon and Our Approach to Security at Exaltation of Larks

Is Drupal secure software? You may have heard about the significant security announcement nicknamed “Drupalgeddon” and are wondering where Drupal fits in today’s fast-changing world of internet threats, enterprise software and risk management.

We stand by Drupal’s security record and recommend it for a variety of business cases. To put our money where our mouth is, our cofounder and chief tin-foil-hat fashionista, Christefano Reyes, is presenting Better Sleep Through Web Security. this Thursday, November 20th, at the San Gabriel Valley Drupal Meetup.

Thanks to a the Greater Los Angeles Drupal user group and its sponsors, this meetup is hosted on the beautiful Fuller Theological Seminary campus in Pasadena, California, and also have a video conference for those who can attend only by video conference or phone.

   Date and time: November 20, 2014 at 6pm Pacific Time
   Location: Fuller Theological Seminary, at 135 N Oakland Ave
Pasadena, CA 91101 (Building “Glasser 110”)
   Video conference: https://glad.zoom.us/j/129319220
   Phone: +1 415-762-9988 or +1 646-568-7788
   Meeting ID: 129 319 220

Better Sleep Through Web Security

Christefano Reyes presents Better Sleep Through Web Security, an in-depth overview of web security, what to do do if your website is hacked, and how to sleep better by following basic web security best practices.

The “Drupalgeddon” vulnerability has been covered in mainstream news including Forbes, the BBC and The Register, and has brought web security, frequently an overlooked part of web development, back to the center stage.

This particular vulnerability, officially known as SA-CORE-2014-005, allows attackers with specialized knowledge to send requests to any unprotected Drupal website that result in arbitrary SQL execution, which in turn may lead to privilege escalation, arbitrary PHP execution and total server control.

Topics that will be covered in this presentation include:

  • Security vs. Privacy
  • Common Attack Vectors
  • Drupal’s security record and the Drupal Security Team
  • SA-CORE-2014-005 (also known as “Drupalgeddon”)
  • I’ve Been Hacked! Now What?
  • Best Practices for Helping Others and Yourself
  • Resources
  • Questions / Answers

Christefano is one of the founders of Exaltation of Larks, a Drupal design and engineering firm with a worldwide team of Drupal experts; and Droplabs, an open source-friendly coworking space and business incubator near Downtown Los Angeles. As an advocate of open source software and self-declared meetup junky, he helps organize meetups and conferences all over the Greater Los Angeles Area, including the Los Angeles Chess meetup and LA Geek Dinners.

If you haven’t heard of Drupalgeddon or don’t know if your Drupal sites have been updated since the announcement, please stop reading and see the SA-CORE-2014-005 FAQ immediately. You can contact us for any questions related to Drupal maintenance and support, including security services, at 888-527-5752 and via our Contact form.

Weaving Community with TimeBanks USA: Drupal and Time-Based Alternative Currencies

TimeBanks USA TimeBanks USA is a 501c3 nonprofit organization that promotes and supports timebanking. Timebanking was created by Dr. Edgar S. Cahn, who founded TimeBanks USA in 1995.

Timebanking is a tax-exempt alternative currency system that works like this: if I spend one hour helping you build your website, I earn one credit, or time dollar. You can then turn around and exchange that time dollar by giving it to someone who fixes your refrigerator, coaches you on your resume, or gives you a ride to the airport.

The possibilities are endless,” according to TimeBanks USA. “An hour of gardening equals an hour of childcare equals an hour of dentistry equals an hour of home repair equals an hour of teaching someone to play chess.” It’s different from bartering, because this type of timebanking is based on services (and not goods) between members of a network.

This wasn’t the first time Exaltation of Larks has worked with alternative currencies. We created a virtual economy for Digital Dollhouse, a casual game where girls are empowered to become their own interior designers. In this virtual world, it’s possible to trade or regift items like dolls, plants and pets, and work with an in-game currency named ddCoins.

In addition to our work with TimeBanks USA, our experience with timebanking includes working as volunteers with two Los Angeles-area timebanks: Arroyo S.E.C.O. Time Bank and the West LA timebank cleverly named Our Time Bank. Our Time Machine project is an experimental Drupal installation profile for communities and organizations looking for turnkey timebanking software for their members and participating businesses and organizations.

TimeBanks USA founder Dr. Edgar S. Cahn has spent more than four decades striving for social justice. He began his career working for the Kennedy administration, focusing on alleviating poverty and hunger. He then opened the Citizens Advocate Center, an organization dedicated to protecting the rights of community groups as they interacted with the government. In 1972, Dr. Cahn founded the Antioch School of Law, whose curriculum was designed to teach students to practice law for the greater good of society.

Here at Exaltation of Larks, we have enormous respect for Dr. Cahn: at the age of 80, he is still a rabble-rouser and hell-raiser who is fighting to change the world, and we’re proud to provide him with the technical assistance to further this goal. Dr. Cahn is a true visionary and we hope to work with — and write about — him and his partner, Chris Gray, TimeBanks USA’s CEO, more in the future.

TIMEBANKS USA’s ROLE IN TIMEBANKING

TimeBanks USA TimeBanks USA supports timebanking in myriad ways, including offering onsite trainings nationwide; organizing an annual timebanking conference; hosting webinars and teleconference calls; and consulting individually with clients. The organization helps members connect with local timebanks or create their own.

One of the parts of TimeBanks USA infrastructure is a large scale social networking platform named Community Weaver, which has a software-as-a-service subscription model. There are more than 400 timebanking websites all around the world that rely on it to help manage and organize their timebanking processes, community activities and other needs.

TIMEBANKS USA’s NEEDS

Exaltation of Larks performed a substantial security and performance audit on Community Weaver, a complex Drupal multisite system. We helped TimeBanks USA fix critical issues affecting one of their essential online organizational tools — their Community Weaver software. This software platform runs a quickly evolving and iterating network of Drupal websites, so it was vital that the software could be updated and developed sustainably and seamlessly, yet without overriding the autonomous decision-making processes of each chapter website.

In addition, we worked with TimeBanks USA to develop a project plan for version 3.0 of Community Weaver and raise the funds to build it; we addressed problems arising from the system’s simultaneous use of both WordPress and Drupal; and we helped streamline the organization’s decision-making process.

TimeBanks USA needed extensive rework on their Community Weaver software, specifically with regard to security, performance and usability issues. Community Weaver is an online organizing and tracking tool for timebank members: it records time exchanged, displays service offers and requests, keeps track of memberships, and displays announcements for the community. Any local timebank can subscribe to TimeBanks USA’s software-as-a-service (SaaS) system to manage their members’ work. TimeBanks USA hired Exaltation of Larks to audit and rework Community Weaver 2.0, with the plans to eventually migrate all their technology, online memberships and e-commerce data to version 3.

TimeBanks USA was also experiencing security problems with its self-hosted WordPress website, which was outside our original scope of work. TimeBanks USA used our emergency support system and we quickly mobilized to resolve this new issue. We determined that security had been compromised and implemented several solutions to tighten it up, from checking the code integrity to updating MySQL access and hardening file permissions.

In addition to our work with TimeBanks USA, we worked with the Arroyo S.E.C.O. Time Bank, one of the many timebanks affiliated with TimeBanks USA. Arroyo S.E.C.O. serves neighborhoods in the eastern and northeastern Los Angeles area, which meant the Larks who were in the Downtown Los Angeles area could work with them one-on-one.

OUR SOLUTION

We began by tackling the security issues found in Community Weaver. Fortunately, TimeBanks USA had an in-house Drupal developer, who we worked with on a massive infrastructure audit, focusing on security and performance. This multisite installation had been built by its previous developer with development practices that were common in 2007, before Features and configuration-in-code became popular. We identified which multisite instances had been modified by their local chapters’ coordinators — which meant examining data structures, views, and content types across hundreds of Drupal websites — and which had unsafe code or configuration. We found security vulnerabilities through the entire stack, from the Drupal systems and websites down to the server operating system, all of which we documented, prioritized and / or resolved.

This was an extensive audit that had both technical and political ramifications. Each chapter is run by its coordinators and volunteers and sometimes in completely different ways than other chapters. In a multisite environment, making technical decisions for the entire fleet of hundreds of websites would impact all local chapter websites that had been modified for their own business cases.

We worked in conjunction with TimeBanks USA to devise policies and joined them on many global community conference calls — open to all coordinators of all the timebanks in the world — to describe our technical approach and to solicit feedback. Our task was to provide technical leadership for the entire organization. We needed a set of standards for sustainable development of this enormous network, but we also needed to respect each individual chapter’s right to make its own decisions.

The project plan we provided included time estimates to address the security problems we found. TimeBanks USA’s tech coordinators reviewed our list of most-needed fixes and then we consulted with a local timebank coordinator and Community Weaver user to make sure these fixes matched their timebank’s list of essential tasks.

We worked with several popular web hosting providers, including Drupal-as-a-service platform companies, to negotiate competitive pricing on behalf of TimeBanks USA. Due to their unique system and web application architecture, we recommended SoftLayer based on their features and pricing.

TimeBanks USA Community Weaver

The unfortunate multisite architecture that the prior developers had devised had the result of creating exponential complexity precluding any proper maintenance and further development on the system. We navigated our way through thousands of lines of uncommented custom code. We also found that the Linux server environment was an abandoned and unsupported custom distro. In both cases, we replaced as many unknown components as possible with stable, peer-reviewed alternatives and we documented the rest. We also stabilized the system by locking down the kinds of changes that individual coordinators could make to their individual timebank chapter websites, thus reducing future maintenance costs.

We fixed several security issues in the system by altering file permissions, MySQL accounts, and text input filters. We used PHP Filter Lock, a module we developed that disables the text form fields that contain PHP code, thereby mitigating the risk of CSRF and XSS security threats on websites that have the core PHP Filter module enabled.

On the same server as the Drupal multisite network was a WordPress marketing website. This in itself is not a problem. Exaltation of Larks’ position is that WordPress is great for simple websites and Drupal is great for complex systems and web applications. Having both on the same server created unnecessary security issues, however. The WordPress installation was technically able to overwrite anything on the Drupal side as well as access the Drupal database. We changed all MySQL usernames and passwords and locked down the file permissions so that the WordPress website could no longer be overwritten or be a risk to other software on the server, including Community Weaver.

Next, we worked with TimeBanks USA to develop the requirements for the next version of Community Weaver. The materials we developed included specifications for a fully featured mobile app, a business plan with financials and pitch deck, and more, and were designed to help TimeBanks USA secure additional funding. In the meantime, we trained a member of their community to maintain the software so they could further reduce their total cost of ownership.

Exaltation of Larks also provided TimeBanks USA with communications strategy consulting services. We performed a 360-degree organizational audit and came up with a more streamlined decision-making process. We created flowcharts of all the key players and stakeholders at TimeBanks USA and highlighted the points at which they had both strengths and weaknesses, and made recommendations where more efficiency was needed.

COMMUNITY INVOLVEMENT

Timebanking has evolved very differently in other parts of the world in ways that no one could have predicted. Nowhere is this emergent behavior more apparent than in highly populated cities, where the numbers, density, and different practices around timebanking create vastly different needs. One such advanced timebank is the Arroyo S.E.C.O. Time Bank in Los Angeles, which has thousands of members across dozens of separate neighborhoods. They needed several custom workflows implemented on their individual timebanking website to manage the scale that had resulted from their impressive growth. By its very nature, the timebank had no money for further development on their individual website.

Barnraisings are a concept taken from Amish culture, where the community comes together to build a barn for a newly married couple who wouldn’t be able to afford the time or expense of building a barn on their own. In the context of web development, barnraisings are like code sprints where the programming community gets together with a deserving nonprofit, and works with them to create or improve their software. For the development community, this is a teaching experience, and newer developers get to learn from seasoned veterans about client relationships, requirements gathering, project planning and the tools used for effective teamwork. The nonprofit brings food — usually excellent food — and everyone benefits.

Starting in April, 2012, the Larks partnered with Droplabs and arranged three separate barnraisings to build new features for the Arroyo S.E.C.O. Time Bank. Not only was a good time had by all, the team built functionality that the Larks turned into Features-based modules that could then be securely distributed to the other timebanks, to be turned on, or not, according to the wishes of each individual timebank coordinator. Features built included a custom registration workflow, neighborhood-specific blogs, and structured data types for content, among others.

PROJECT OUTCOME

Previous to Exaltation of Larks coming on board, TimeBanks USA had been working with a different development company. The Community Weaver software proved challenging to rework and over the 2 years we worked together we ensured that key security and performance problems with the software were resolved.

TimeBanks CEO Chris Gray says of the project: “Given the importance of the software for the mission and vision of TBUSA, and given how much we had to learn, this was a very intense experience for us.”

In addition, with the help of the volunteers at the barnraisings, we added several new features to the Community Weaver software, including a blog post content type and RSVP feature that integrates with the Signup module. These features directly benefit all the hundreds of TimeBanks chapters around the world that use the same Drupal distribution of Community Weaver.

All members of the Larks team, from the principals to the project leader to the programmers, demonstrated that they cared deeply about the quality of the work undertaken,” Chris Gray said. “[They] provided many hours of consultation to this endeavor. We are truly grateful for those contributions. Under challenging circumstances, they provided highly professional services to TBUSA. We greatly appreciate the professionalism of the Larks and the ongoing willingness to go above and beyond.”

Everybody Loves Friday5: The Crowdfunding Platform for Nonprofits

Friday5 Exaltation of Larks is proud to work with Friday5, a Los Angeles startup we think is worth paying attention to. Friday5 is an innovative crowd-funding platform that helps take the guesswork out of finding worthy causes and making tax-deductible donations.

Members who sign up at Friday5.org enter their credit card information, select the amount they want to donate to a nonprofit each week, and then receive a weekly email detailing which cause Friday5 has carefully curated for that week’s crowd-funded donation.

In short, Friday5 is helping change the world — one Friday at a time — and they’ve been praised in publications such as Forbes and PandoDaily.

Exaltation of Larks has worked with many nonprofits over the years but the opportunity to work together with Friday5 and support a new nonprofit each and every week was one we couldn’t pass up.

The role that we have with Friday5 is twofold: we provide the technical expertise and project management needed for Friday5’s online operations, and Christefano Reyes, an executive at Exaltation of Larks, serves on the Friday5 board and helps guide and advise the technical direction for the company. “Exaltation of Larks has a long history of working with both startups and with cause-based organizations,” Christefano said, “and our work with Friday5 has been a a great match for both companies.”

IDENTIFYING FRIDAY5’s NEEDS

Our collaboration with Friday5 began in 2013, when Friday5 founder Mike Berman found himself needing a team to help maintain Friday5.org, implement features requested by Friday5’s partners, and prepare for growth.

Friday5 home page

When Friday5’s lead developer left the company, Mike began looking for someone new. After a month of searching for a new team, he reached out to Ben Stewart at ShareMagnet, another Los Angeles startup that Exaltation of Larks has worked with and has a 1st-degree connection. “From day one, we’ve felt that we’ve been in great hands with Larks,” Mike says. “They quickly and accurately assessed our needs, and we’ve been more than impressed with their work.”

OUR SOLUTION

Friday5’s site hadn’t been updated for several months by the time Exaltation of Larks came on board. We performed our standard site audit and included a security review.

The results of our site audit identified several technical issues that needed to be addressed, from server maintenance and security issues to general bug fixes and ways to streamline and optimize the payment process. We also performed a business assessment and documented the platform and its systems and helped Friday5 plan for its next phase.

Recognizing the need to ensure that Friday5 had as seamless a transition to our services as possible, we worked with Friday5’s former lead developer over the course of several meetings to perform site discovery and produce all related documentation.

Managed Hosting
The payment gateway Friday5 uses, Network for Good, requires its customers’ servers to have a fixed IP address. This eliminates the option of using some grid and cloud hosting platforms. While the hosting costs at the time were higher than necessary, we advised against migrating to a new server environment. The transition cost of migrating to a new server or webhost were greater than the immediate short-term benefits.

Fortunately, their webhost changed its pricing options in April, 2014, and is now much more affordable. By using our server administration tools and our familiarity with the Friday5.org website and systems, we were able to build a completely new server infrastructure and fully migrate the Drupal site to it in less than 30 minutes.

As part of our managed hosting services, we provide Friday5 with rock solid backup and disaster recovery services. Systems we’ve implemented create backups of the database and codebase and these are regularly saved to a number of locations, including Amazon S3. Together with the documentation we’ve compiled for Friday5, we help ensure Friday5’s business continuity.

Network for Good
Network for Good is a specialty payment gateway set up to provide services to nonprofits. Exaltation of Larks maintains the Network for Good integration module that connect Drupal sites with Network for Good’s API, and has shared this module with the larger Drupal developer community. “We contributed this module during the code sprint at a Drupal Coworking Friday,” Christefano said. “These events combine mini code sprints and free coworking days and are a great way for us to mentor other Drupal developers.”

Friday5 mobile interface Data-Driven Development
When joining the project, we immediately documented Friday5’s systems and features that existed at that moment in time. This gave us a clear starting point for developing the product’s roadmap.

Our project planning for the next phase of feature development uses a data-driven approach. The features we’ve developed so far include better reporting tools to measure key indicators and enable business decisions on critical issues and opportunities. We’re expanding this to allow for more clarity in the day to day management of the organization, as well as insight for future planning.

Support and Maintenance
Exaltation of Larks performs ongoing maintenance and support for Friday5. These services give Friday5 the comprehensive coverage they need, from basic maintenance to emergency support. For example, the Friday5 website had an issue when the company was in the middle of an important business meeting. Friday5 used our emergency support system and the issue was resolved within the hour.

PROJECT OUTCOME

Exaltation of Larks has given Friday5 solid footing in the area it most needed it: technical leadership and support. We continue to act as a technical resource for Friday5, advising Mike and his team on the company’s infrastructure for growth. “With Larks,” Mike said, “we have instant access to great programmers, and we only pay for what we need. As we grow, we’ll need more development time and expertise — Larks has us completely covered.”

We are proud to see Friday5 succeeding in the market and see Friday5 as an important addition to the Los Angeles startup landscape — and also the national nonprofit landscape. Friday5 has proven to be a pioneer in crowd-funded charity giving. Indeed, about 6 months after Friday5 launched, Google effectively validated Friday5’s business model by introducing One Today, in which users donate $1 per cause per day using a system very similar to Friday5’s — including Network for Good integration.

Meet the Larks at DrupalCon Austin

Droplabs Exaltation of Larks is at DrupalCon Austin!

This is the Drupal community’s biggest conference for all things Drupal and it’s a great chance for you to meet all the Larks who are in attendance.

To set up a meeting with us, send us a message or mention @LarksLA on Twitter. We’d love to talk with you about Droplabs, the Drupal incubator we co-founded in Los Angeles in 2011, how it’s become the Top Drupal Location in the world, and how to start a Droplabs in your city.

Droplabs If you’re in the Los Angeles area and aren’t going to DrupalCon, you’re welcome to join Lee Vodra, one of the co-founders of both Exaltation of Larks and Droplabs, for a Droplabs Open House on Thursday, June 5th.

Droplabs will be announcing its Droplabs Academy and tuning in to the live stream of the DrupalCon Austin Closing Session. Drop by and meet some of the Larks who are in Southern California and say farewell to DrupalCon Austin and “hello!” to DrupalCon Amsterdam, DrupalCon Bogota, and the surprise location of DrupalCon North America 2015.

Prescribing Drupal: CMEDownload's Video-on-Demand Subscription Service for Continuing Medical Education

CMEDownload CMEDownload is a continuing medical education (CME) service that gives physicians and medical students access to a high-quality library of thousands of lectures in video and audio formats for computers and mobile devices. This video on demand (VOD) service contains thousands of lectures and hundreds of hours of continuing medical education.

The service is a good example of Drupal being used to power a MOOC, or massive open online course: it combines digital-age distance learning with unlimited participation and open access to educational materials. CMEDownload has since been joined by other MOOC services using Drupal, including edX.org.

Attending conferences can be tricky for busy medical professionals. CMEDownload partners with top-level national and international medical conferences so that physicians can view lectures without leaving their homes, jobs, or families. Customers who sign up for an all-access pass can stream or download any of the thousands of videos and also earn certificates in continuing medical education through watching these videos.

Exaltation of Larks has been working with CMEDownload since 2012. What started as a standard site audit — with a focus on improving website performance and fixing security issues — turned into a major refactoring project and infrastructure overhaul. With the results from our initial site audit, we have steadily improved the website in almost every way.

To this day, Exaltation of Larks continues to maintain and support the CMEDownload website. We are a fully-integrated, full-service design and engineering firm, and in the case of CMEDownload we have provided development, maintenance and support, infrastructure consulting and managed hosting services.

IDENTIFYING CMEDOWNLOAD’s NEEDS

Sujal Mandavia, CMEDownload’s CEO, is a sharp businessperson with a great product. He wanted to improve CMEDownload’s security and performance and he needed a sleeker, faster-moving way to present and organize the service’s video media, as well as improve the user experience of the customer-facing features.

As someone with development experience himself, Sujal knew he needed to find a team that was familiar with site architecture for media-heavy sites, and who understood how to organize, catalog, and serve up large amounts of video media. Sujal searched extensively for the right team to handle the upgrades he needed.

The Larks’ consistency was a plus,” Sujal says. “So was their level of experience.” Both companies have offices in Los Angeles — CMEDownload is an LA startup and Exaltation of Larks has a Los Angeles-based team — which made working together an easy decision.

OUR PROGNOSIS & SOLUTION

Code Audit and Refactoring
We began with a full infrastructure audit. This included a review of CMEDownload’s web hosting, which at the time of our audit was on a dedicated Xserve server. This server was occasionally crashing and we took emergency measures to improve data integrity in the event that the MySQL database server crashed. At the same time, our implementations significantly improved the database performance.

Understanding the way the original CMEDownload website was constructed required high technical expertise. Through our audit, we learned we would need to untangle some of the previous development work. We refactored large parts of the codebase to use high quality third-party modules that are available on Drupal.org to provide the same functionality, while performing a code audit of the 17 custom modules installed. (The previous vendor had developed significant parts of the Drupal codebase from scratch and in many cases had reinvented the wheel.)

Managed Hosting
CMEDownload is now hosted on Amazon Web Services (AWS). We’ve utilized AWS extensively to reduce CMEDownload’s web hosting costs by almost 50%. These changes include refactoring and optimization of the codebase and database, which have lowered both web hosting fees and ongoing maintenance costs.

We provide long-term support and maintenance services for CMEDownload. This includes ticket-based support, ongoing bug fixes, and working directly with CMEDownload’s staff. Through our support system, we provide CMEDownload with services for all of their hosting and infrastructure needs.

Performance and Scalability
We improved CMEDownload’s page load speeds through extensive database tuning and performed significant database maintenance tasks, including automated integrity checks and optimization of the database tables.

Modules we installed and configured included Varnish, Expires and Purge, and we added Views caching that was missing for nearly all the blocks and pages, including video queues, playlists, completed quizzes, etc.

We also implemented the CDN module for Drupal in order to use a content delivery network. With the CDN, CMEDownload is able to deliver the files in its enormous video library much more quickly and efficiently to its customers.

Security Improvements
One of the first things we worked on was improving security, fixing potential information disclosure vulnerabilities. Many pages and custom lists of information displayed by Views did not check for access control, which we promptly fixed.

As is standard with e-commerce sites we work on, we performed an e-commerce audit to ensure that customer data was protected. This was also one of the first projects where we enforced HSTS, or HTTP Strict Transport Security, a security implementation created in 2012.

HSTS is a powerful and relatively little-used method for increasing security and even improving usability by preventing mixed content warnings. We recommend using HSTS on all our projects that use SSL,” says Christefano Reyes, of Exaltation of Larks. “It’s been part of our standard security package for a while and we would love to see more websites using it.”

Subscription Issues
Customers are presented with an interface similar to Netflix: members have a queue to which they add videos they want to save for later viewing. We added functionality that allowed members to reorder their queue and delete videos from it. CMEDownload also uses the Drupal iTunes module to expose users’ playlists in iTunes.

CMEDownload queue

We fine-tuned custom modules that determined how a lecture or course was labeled and displayed to subscribers, and who had permission to view what content. We also worked on streamlining a method for offering discount codes. Many lectures and courses have attached quizzes, to test subscribers on the material before they can gain a certificate of completion. We worked on CMEDownload’s custom modules to simplify the process of displaying these quizzes to viewers.

CMEDownload also keeps track of who has watched which videos, and issues the corresponding continuing education credits and certifications. CMEDownload uses custom code and scripts to calculate these credits and display them. These proprietary methods enable CMEDownload to track the views of individual members.

Exaltation of Larks is an Authorize.Net development partner and we implemented their service with Drupal to better manage CMEDownload’s subscription information.

Another customer-facing change we implemented was a switch from FlowPlayer to JWPlayer for streaming video. We chose JWPlayer because support for JWPlayer is very good and the player does most of the work: it can play HTML and Flash files in one instance, whereas with FlowPlayer it’s necessary to switch between two types to play HTML or Flash. CMEDownload and their customers are happy with the results.

GIVING CMEDOWNLOAD A CLEAN BILL OF HEALTH

Our customer is very satisfied. Sujal’s only complaint was that he wished Exaltation of Larks had been on the project from day one. “I think companies like Larks have made it easier for folks to access the power and community of open source without being experts themselves,” Sujal says.

Sujal believes the Los Angeles startup scene has changed for the better in recent years. He recognized the need for a CME product and he filled that need, but the startup community was smaller and technical resources were harder to find at the time CMEDownload was founded. Open source software was available but only easily utilized by developers and hardcore aficionados.

Here at Exaltation of Larks, we’re extremely happy to have helped CMEDownload with their success. We are currently working with CMEDownload on upgrading from Drupal 6 to 7, which will make feature development considerably faster and further reduce support and maintenance costs.

Using HSTS for Better Security — and a Better Developer Experience

You’ve probably come across this situation before. When visiting a certain site, you see a browser warning that the website is using mixed content — both HTTP and HTTPS together.

Avoiding mixed content is nothing new to some web developers, but read on if you’re looking for a quick fix to prevent both mixed content warnings and CSRF attacks, which are the underlying reason why browsers have those warnings in the first place.

Introducing HSTS

HSTS, or HTTP Strict Transport Security, is a security implementation that was created in 2012. It’s been part of our standard security package for a while and we would love to see more websites using it.

Startups Begin Here: Our Work with Tech Coast Angels

Tech Coast Angels Tech Coast Angels (TCA) is the largest angel investment organization in the United States. With over 300 members throughout Southern California, Tech Coast Angel’s members have invested over $120 million in over 200 startup companies since their inception in 1997.

Since 2013, Exaltation of Larks has been working with Tech Coast Angels with their online systems, including an extensive Drupal web application that their members use as a deal flow tracker and document management system. Services we’ve provided include support, maintenance, security improvements, performance optimization, and mobile integration.

The website that Tech Coast Angels uses allows its members to view startup companies’ applications for funding, discuss each company’s application and collaborate with one another in researching each company, which then helps them make individual decisions on funding.

IDENTIFYING TECH COAST ANGELS’ NEEDS

Mike Panesis, Chairman of Tech Coast Angels’ Board of Governors, says of the collaboration, “Tech Coast Angels engaged Exaltation of Larks to perform a security audit on our web site. Exaltation of Larks did a comprehensive analysis, compiled a task list with time estimates and risk assessments, and made recommendations for proceeding.”

Exaltation of Larks began this project with a site audit to evaluate the quality and maintainability of the existing Drupal web application and server environment, with a focus on performance optimization and general best practices.

During the site audit, we found Drupal and several contributed modules had been modified from their original versions, which made feature development and regular maintenance such as updates much more complicated. Many of the modules were out of date and required security updates, and several modules were development versions, which made it difficult to determine whether they needed updating, and if so what version to update them to.

With a go-ahead from Tech Coast Angels, we then performed a more in-depth review, which unearthed further security and server memory issues. We documented them and helped Tech Coast Angels prioritize which ones to tackle first.

Tech Coast Angels also enlisted Exaltation of Larks to help them create an iPhone app. This presented an interesting challenge: Tech Coast Angels’ website used Drupal 6, but the Services module, which provides key data in a format that a smartphone app could read, had been discontinued since its authors and maintainers focused their efforts on versions for Drupal 7 and Drupal 8.

OUR SOLUTION

First, we brought the modified codebase that had outdated versions — and unversioned development releases — back into mainstream Drupal core and contrib releases.

Next, we worked on the security and server memory issues. There were two types of improvements needed: quick fixes and larger upgrades. Quick fixes included enabling Views caching and turning off unneeded modules on the production server. Among these modules were Locale, Devel, and String Overrides.

Many of the upgrades had to do with memory usage and resource management. We migrated the website to a current LAMP environment, which included upgrading MySQL from 5.1 to 5.5, which has many performance and memory management improvements. We adjusted many MySQL cache parameters to improve performance and reconfigured both MySQL and Apache to dramatically reduce memory usage, including configuring Apache to use 25 modules, rather than the 57 that the legacy server had been using.

All web hosting is provided by Amazon Web Services (AWS), for which Exaltation of Larks is a delivery partner. Even though we stayed with the same size AWS instance, we configured the production server to be more efficient using the same hardware resources, so there was plenty of memory capacity in case of traffic spikes. We rebuilt the new AWS server for optimized IO operations per second, which added moderate extra costs, but substantially reduced overall system latency. These extra costs were easily offset by purchasing a heavy utilization reserved instance.

Further configuration improvements allowed us to reduce the memory usage of the staging server so it could run on a smaller, more lower cost instance. The production site went from allocating almost all its memory on the original instance to performing better than the legacy site on a smaller instance.

Security upgrades included configuring Apache to not have write access to Drupal’s PHP files, an important security improvement; adding SSL and making it mandatory for all connections; implementing a backup strategy that moves backups to Amazon S3; and using MySQL accounts with the least necessary privileges for accessing MySQL databases.

Finally, we decided to backport the Drupal 7 security fixes and new REST server features in the Services module to the Drupal 6 version. Working with Tech Coast Angels’ mobile application developer team, we used this backported version of Services to create an API that exposed the appropriate data to their iPhone app. We plan is to make the Drupal 6 version of Services available to the larger Drupal community.

PROJECT OUTCOME

We have been very happy with the Larks’ performance,” Panesis says. “They are truly Drupal experts, conduct themselves in a professional manner, and treat our website as if it was their own.”

In the future, Exaltation of Larks and Tech Coast Angels plan to work together on a site redesign and an upgrade to Drupal 7. We continue to work with Tech Coast Angels on ongoing feature development and provide support and maintenance services.

Meet the Larks at DrupalCon Portland

Exaltation of Larks will be at DrupalCon Portland next week and we’d like to share some of our DrupalCon plans.

To summarize, we’re excited to announce that we’re co-training on Drupal Commerce with Commerce Guys; we’re continuing the conversation we started last month about Long Term Support for Drupal 6; and we have a quick list of Drupal Fit activities that are happening before and during the conference.

Interested? Read on.

Drupal Commerce Training

One of our core philosophies is that high-quality trainings are one of the very best ways to help Drupal and the Drupal developer community grow, and we’ve been working closely with Commerce Guys for the DrupalCon training, Launching an Online Store with Commerce Kickstart, on Monday, May 20th.

Our joint curriculum is based on the 7.x-2.7 version of Commerce Kickstart, which was just released yesterday. The attendees of this training are really in for a treat and this is a Commerce training that’s not to be missed.

Drupal Commerce Meetups Every Month

This is a good time as any to let everyone know that we’re proud sponsors of the Drupal Commerce Meetup, which meets in Los Angeles on the 4th Tuesday of each month.

Not in Los Angeles? Not to worry, these meetups are also being broadcast online for everyone to tune in for and enjoy. The next meetup is after DrupalCon on Tuesday, May 28th, so be sure to sign up over at Drupal Groups to hear what the next meetup is about.

These meetups are recorded and the video from last month’s meetup is available online. The video features a presentation by Ryan Szrama on Relify and personalized product recommendations. Relify neatly narrows the gap between Drupal Commerce and recommendation systems, like Amazon’s “you may also like” suggestions.

Long Term Support (LTS) for Drupal

We’re hosting a BoF (birds of a feather) discussion on long-term Drupal support (particularly for Drupal 6 sites when Drupal 8 comes out and bug fixes and security releases for Drupal 6 are discontinued).

Long Term Support is a topic that is near and dear to us and a number of our clients and this BoF is a followup to our earlier post, Drupal 6 End of Life When Drupal 8 is Released… Or Not.

We’re preparing an “LTS” version of Drupal 6 and have a lot more planned, so stay tuned to the DrupalCon BoF schedule and @LarksLA on Twitter for news of when this BoF gets scheduled.

Drupal Fit

Finally, if you haven’t heard of Drupal Fit, it’s a group of nearly 200 Drupaleros who are dedicated to fitness is one form or another (mental, physical, etc.) and to sharing their experiences with other Drupal community members.

Here’s a summary of some of the Drupal Fit activities at DrupalCon Portland.

Are there any other Drupal Fit activities not mentioned here? Send @DrupalFit a shout out on Twitter.

Drupal 6 end of life when Drupal 8 is released… or not?

At the Boston Drupal meetup that was at Acquia this month, several presentations were focused on “what’s new in Drupal 8” from the view of several people who now work at Acquia. I loved it. There were other presentations, as well (including one of my own!), and I really enjoyed seeing the Boston Drupal group again after many months.

During the questions and answers part of the meetup, I asked Dries if he was considering naming a security maintainer for Drupal 6 when Drupal 8 is released. (In case you didn’t know, support for Drupal 6 will be discontinued by the Drupal core and security teams. See the handbook page on backwards compatibility at https://drupal.org/node/65922 for more, including Dries’ original statement on the subject in 2006.)

Sponsoring, Pre-Camp Training and More at DrupalCamp LA 2012

We’re happy to announce that Exaltation of Larks is sponsoring, co-organizing and offering pre-camp training at DrupalCamp LA this July 27-29th. We hope that you join us!

Pre-Camp Training

The class that we’re offering is all about Drupal Best Practices, and it’s being offered together with Chapter Three on July 27th at 60% off our usual price. This is one of our most popular classes and is one of our favorites, too.

If you’ve taken one of our previous paid classes, you can use coupon code ALUMNI to get an additional 10% off! (In order to use this code, you’ll need to be logged in with your existing account at https://www.larks.la/training)

You don’t need to be registered for DrupalCamp LA to take our class, but why not sign up at http://2012.drupalcampla.com/user/register today? This gives the conference organizers an accurate headcount, and makes it easy for you to pick out your sessions and add your comments to the session proposals.

Presenting at DrupalCamp LA

Speaking of sessions, all of our session proposals were accepted this year and here’s what we’re presenting:

We’ll also be leading BoF (birds of a feather) sessions on coworking and timebanking, which are two topics we’re eager to share and hear from others about.

Meanwhile, several of our partners, including Chapter Three, Acquia and Build a Module, are also represented at DrupalCamp LA this year:

Upcoming Classes in and Around Los Angeles

Can’t make it to DrupalCamp LA? We have several upcoming trainings that we’ve scheduled throughout the Summer and into the Fall, from introductory Drupal Site Building and Layout and Theming to Module Development and Web Services and APIs.

Syndicate content