greggles

MariaDB [carddev]> create table contribdevs (username varchar(32), active int(10));
Query OK, 0 rows affected (0.01 sec)

MariaDB [carddev]> create table coredevs (username varchar(32), active int(10));
Query OK, 0 rows affected (0.01 sec)

MariaDB [carddev]> insert into coredevs values ('natrak', 0), ('webchick', 1), ('xjm', 1), ('davereid', 1), ('msonnabaum', 1);
Query OK, 5 rows affected (0.00 sec)
Records: 5  Duplicates: 0  Warnings: 0

greggles

 159 10.208.128.58
 107 10.208.129.74
 107 10.208.128.193
  89 10.177.134.227
  82 10.208.128.192

greggles

  14 54.227.155.135
   9 54.87.239.38
   6 54.90.130.225
   6 54.80.246.205
   4 54.87.67.141
   2 54.242.142.34
   2 54.234.19.252

greggles

#!/bin/bash
# Bring out the noise.
set -ux

# Look for modified features.
MODIFIED_FEATURES=`drush @drush.alias fl | grep -Eio "[a-z].*enabled.*7\..*overridden"`

if [ -z "$MODIFIED_FEATURES" ]
then
  # If they are not modified, you can do stuff here.

greggles

This module allows Drupal to store, process, and/or transmit cardholder data to a payment gateway/processor. Therefore, enabling this module requires the site to comply with <em><a href="https://www.pcisecuritystandards.org/security_standards/index.php">PCI-DSS</a><em>.

greggles

Feature: Anything is possible
  In order to do anything at zombocom
  As someone who has not yet attained the unknown
  I need to be able to zombocom

  @know
  Scenario: Know the unattainable
    Given I go to "http://www.zombo.com/"
    Then the response should contain "embed src=\"inrozxa.swf\""

greggles

drush -r /var/www/security.drupal.org/htdocs sqlq "select 'unassigned issues: ', count(1) from project_issues p INNER JOIN project_issue_state pis ON p.sid = pis.sid where assigned = 0 and  pis.default_query = 1;"
drush -r /var/www/security.drupal.org/htdocs sqlq "select 'issues younger than a year: ', count(1) from project_issues p INNER JOIN project_issue_state pis ON p.sid = pis.sid INNER JOIN node n on p.nid = n.nid where pis.default_query = 1 and n.created > unix_timestamp() - 60*60*24*365;"
drush -r /var/www/security.drupal.org/htdocs sqlq "SELECT 'average cycle time: ', SUM(CASE pis.default_query WHEN 1 THEN unix_timestamp() WHEN 0 THEN n.changed END - n.created) / (COUNT(1) * 60*60*24) AS duration2 FROM project_issues p INNER JOIN node n ON n.nid = p.nid INNER JOIN project_issue_state pis ON p.sid = pis.sid WHERE n.status = 1 AND p.sid > 1 AND p.pid NOT IN (77, 738) ORDER BY n.created desc;"

greggles

* Limit exposure
* Defense in depth


1. Recognizing issues
2. 


3. Modules, Themes, Custom code
 1. Only use what you need

greggles

<html>
<head>
<title>Do you like interstitials for no reason? I do.</title>
</head>
<body>
<img src="http://www.united.com/travel/checkin/img/waitspinner.gif">
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="647" height="430" id="FrontierInterstitial" align="middle">
      <param name="allowScriptAccess" value="sameDomain" />
      <param name="allowFullScreen" value="false" />
      <param name="movie" value="FrontierInterstitial.swf" />

greggles

<?php

// Query code from http://drupalcode.org/project/project.git/blob/refs/heads/7.x-2.x:/usage/includes/pages.inc#l76

  $query = db_select('node', 'n')
    ->fields('n', array('nid', 'title'))
    ->condition('n.nid', $usage_week_nids, 'IN')
    ->condition('n.status', NODE_PUBLISHED)
    ->groupBy('n.nid')
    ->groupBy('n.title')