Drupal GovCon 2024: Securing The Government's Open-Source Web Applications
Outside of Washington D.C. is College Park, Maryland, famously home of the University of Maryland. The school mascot, Testudo, a diamondback terrapin, was chosen because this particular type of turtle is native to the Chesapeake Bay region. They stand out as being rather resilient creatures that can survive in both fresh and saltwater conditions, preferring the intersection of the two. In the same spirit of thriving in intersecting worlds, the Drupal community and US government agencies came together to help empower the future of open source at Drupal GovCon 2024.
Over 750 attendees gathered for three days filled with 62 sessions, nine workshops, and countless community conversations. The theme of Drupal GovCon is empowering government agencies to leverage Drupal's capabilities effectively. Drupal is the CMS powering 55% of US Government websites. A politician once described it as "both free, as in "free beer," without a price, it is also free, as in freedom, as an open source community run project."
Drupal also has a reputation for being extremely secure. The Drupal security community provides frequent updates and actionable alerts. For example, most Drupal sites could be patched just a few hours after the Heartbleed bug first appeared, an SSL vulnerability that shook the internet. As long as you always obey the law of 'never hack core!' and are on a good hosting partner, Drupal is one of the safest ways to run a large-scale web application, as security is at the heart of the project.
Here are just a few of the amazing security updates the Drupal community shared at Drupal GovCon.
Cooperatively edit content across the web securely
One of the largest challenges faced by any team of content creators is the editorial process. Teams must decide on a system of record and an easy way to safely and securely grant access to the only right people. Add any limitations about which SaaS tools you can leverage in a governmental setting, and the problem will become stickier than you might have first thought. This was the motivating factor behind the work of Ken Rickard, Sr. Director of Consulting at Palantir.net, who revealed the status of his project in his talk "Collaborative Editing in Drupal Core."
Thanks to the work of Ken and his team, there is a free and open-source Edit Together Drupal module. This module cleverly uses peer-to-peer sharing, so no data is ever stored outside of Drupal itself, where it safely belongs. The only external service that is needed is a signaling server, which just passes a 'ping' back and forth, alerting the other peers connected to the Drupal page that an update needs to be read from another instance.
An issue with most cooperative collaboration tools is the need to store a copy of the content in a centralized way. This approach introduces an unneeded security risk, as access to that system might grant further access to connected systems. In addition to the additional costs of running these services, many government agencies also need to follow strict FedRAMP or similar technical standards that exist to ensure we secure our web applications as much as possible. That lack of external data sharing is key here, as this approach introduces no new paths to get at any data.
Free tools to navigate the world of Risk Management Framework compliance.
In his talk, "Using Open Source Tools During the RMF Process," Ben Hosmer, DevSecOps Lead at DevOps Office Hours, walked us through some of the challenges the federal government faces when implementing the NIST Risk Management Framework (RMF). He started with an overview of the landscape of possible ways to approach any RMF, which can get confusing, as there are so many publications and standards, with more always being developed.
The NIST RMF lays out a 7-step process to apply the set of best practices and standards for any given government agency:
- Prioritize - essential activities to prepare the organization to manage security and privacy risks.
- Categorize - the system and information processed, stored, and transmitted based on an impact analysis.
- Select - the set of NIST SP 800-53 controls to protect the system based on risk assessment(s).
- Implement - the controls and document how controls are deployed.
- Assess - to determine if the controls are in place, operating as intended, and producing the desired results.
- Authorize - senior official makes a risk-based decision to authorize the system (to operate)
- Monitor - continuously monitor control implementation and risks to the system
Ben introduced us to OpenSCAP, a collection of open-source tools for implementing and enforcing Security Content Automation Protocol (SCAP), a specification for expressing and manipulating security data in standardized ways. OpenSCAP tools can quickly help agencies find the right policies, tune them for their particular needs, and monitor how they are implemented and upheld.
Ben closed out his session by reminding us that it is never too late to get started with security. Security does not have an end date! Any efforts we make to secure our work are well worth the effort, which, thanks to OpenSCAP, is less than you might think.
The benefits of static websites go beyond security
In her insightful talk "Secure, Performant, Scalable, and Green: The big wins of a static Drupal website," Kristen Pol, co-founder at QuantCDN, walked us through the various ways you can deploy static versions of a website.
Since there is no DB under a static website, there is nothing an attacker can access beyond the publicly available content. While an attacker could disrupt the service with a DDoS attack or bring down the servers that host the image, there is no way to alter the content directly or inject any malware. Since the content is static, simple hosting is good enough for most pages, especially when a Content Delivery Network (CDN) caches the site closer to the user. They also take a lot less power to operate.
Kristen discussed that you can still build and manage your site in Drupal but only deploy the final public-facing site as a static one. Several free and open static site generators can work directly with Drupal, including NextJS, Nuxt, Gatsby, and Tome. If you need users to log in for a use case like e-commerce, you can still leverage a static website, thanks to the use of forms and JavaScript, which is commonplace now thanks to the Jamstack movement.
Building Open Source For Better Government
There were other talks that focused on security in Drupal itself and safety when deploying and operating the apps. Your author was able to share a talk on Infrastructure as Code (IaC) security. Drupal has come a long way recently, and with all the excitement surrounding the Drupal Starshot Initiative, the future is looking pretty bright for open and free software.
Drupal has a motto, "come for the code, stay for the community." All the attendees felt this truth very strongly. Some have been in the community for years, since Drupal's earliest days, and some were brand new to the space. Everyone was made to feel welcome, and the conversations that flowed were some of the best. It was a truly great experience to work to keep the next generation of US government web applications open, free, and secure.
GitGuardian is helping teams solve security challenges faced by public sector agencies around the world. Learn more about how GitGuardian is enterprise-ready and committed to the public sector.