last person joined: 10 days ago 

If you work in an organization using Drupal, or you work with nonprofits using Drupal, this is the group for you. If you work in a nonprofit using Drupal, or you work with nonprofits using Drupal, this is the group for you! Stuck on something? Have a question? Drupal experts are on hand to answer questions! You don't need to be a member of NTEN to participate in the monthly calls — feel free to invite colleagues and spread the word.

looking for advice: how to securely work with contractor

  • 1.  looking for advice: how to securely work with contractor

    Posted Apr 18, 2018 11:21
    We're looking for technical help with a secure communications platform we manage that needs some urgent bug fixing and other work. I'm reviewing submissions from several excellent contractors, but want to make sure that they can work on the platform at minimum security risk to existing users and their data.
    I am assuming that we will anyway first need to create a development clone of the platform with a clean database, and work from there. Our contractor will still need to create that copy.

    Any thoughts on how to proceed? Looking for guidance as to how to hire and how to set up the work environment. For example, any benefit to having someone work on site vs remote?


    Oren Levine
    Director of Innovation
    International Center For Journalists
    Washington, DC
    olevine@icfj.org - http://www.icfj.org
    Tech Accelerate

  • 2.  RE: looking for advice: how to securely work with contractor

    Posted Apr 18, 2018 11:44

    A good development workflow should include a few things to address such issues:

    - A hosted, version controlled repository of the codebase of the project that contains no sensitive information (including database connection information).

    - either a sample database or installation profile with sample (non-sensitive data) with which a developer can effectively work with to replicate a live site and it's functionality; OR a script which cleans a live database of sensitive information and turns of live-site-only features such a transactional emails and logging, etc.

    - a both contractual and established trust that sensitive data will be handled (and eventually destroyed) with integrity and care.

    Of course, this is very general and depends on your risk tolerance (or legal tolerance in the case of something like GDPR). For instance, if you cannot tolerate any transfer of sensitive information, the "sample" database would be a requirement. In my opinion, remote vs. local carries the same responsibilities.


    Tech Accelerate

  • 3.  RE: looking for advice: how to securely work with contractor

    Posted Apr 23, 2018 15:37
    Hosting providers such as Pantheon and Platform.sh allow admins to setup dedicated development environments which map one-to-one to a Git branch. Users can be given access to only these environments/git branches.


    Stephen Musgrave
    Capellic LLC

    New York / New Jersey / San Diego / Los Angeles

    This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

    Capellic, 1806 Hummock Lane, Encinitas, CA  92024

    Tech Accelerate

  • 4.  RE: looking for advice: how to securely work with contractor

    Posted Apr 24, 2018 00:49
    Stephen unfortunately that is not correct. Developers can be given a developer role which allow for them to access the Dev environment and any multi-devs (environments created from branches) you are limited to how many you can create though (currently 10).

    Sean Dietrich
    Kanopi Studios

    Tech Accelerate

  • 5.  RE: looking for advice: how to securely work with contractor

    Posted Apr 24, 2018 00:56
    I will agree that usually working on Pantheon has proven to be the best method. Additionally, the Pull Request method on GitHub has also been beneficial in the case that you restriction what people or what groups can merge code in.

    I vouch for Pantheon because it has truly helped me previously when I was working with a group of oversea contractors. We only gave them the Developer role and therefore they could only interact with the multi-devs (git branch based environmense). They could never push code up to the stage or production sites.

    Sean Dietrich
    Kanopi Studios

    Tech Accelerate

  • 6.  RE: looking for advice: how to securely work with contractor

    Posted Apr 24, 2018 08:47
    Thanks for the correction about Pantheon, Sean. And the work around. That's typically what we do (but we use BitBucket). Using BitBucket or Github as a part of the process has the added benefit of being able to more easily do code reviews, and make comments/ask questions on specific aspects of the code.

    Here's more information about Platform.sh's implementation of environment permissions.


    Stephen Musgrave
    Capellic, LLC
    Jersey City, NJ

    Tech Accelerate

  • 7.  RE: looking for advice: how to securely work with contractor

    Posted Jun 19, 2018 23:16
    If you need to restrict access to PII (personally identifiable information) then you may need to set up a workflow that sanitizes your database so user emails and passwords aren't available to the contractor.

    You can set up a quicksilver operation to sanitize on clone like so:
    but the contractor will still have access to the data via site backups.

    You can optionally create a fresh instance that only contains a sanitized database for them to work. You can automate the database syncing and sanitization of the database from your LIVE environment to the clone, or do it manually as needed.

    Ask your contractor for evidence of their Cyberliability insurance policy. If they do not, they likely aren't concerned enough about security to consider working with.

    Andrew Mallis
    CEO & founder @ www.kalamuna.com
    Oakland, CA

    linkedin: https://www.linkedin.com/in/andrewmallis
    schedule a chat: https://calendly.com/mallis

    Tech Accelerate

  • 8.  RE: looking for advice: how to securely work with contractor

    Posted Jun 20, 2018 13:33

    Additionally, there are some tools that can assist with the Database cleanup. I've used Mass Password Reset https://www.drupal.org/project/mass_pwreset several times. You'll need to install and run it on a copy of the site that needs to be scrubbed. It can give some quirky error messages when resetting user #1 but otherwise, works well.


    Alternatively, Acquia's Cloud-Hooks repository has a script that may be useful. However, you'd need to figure out how to integrate it into your workflow. https://github.com/acquia/cloud-hooks/blob/master/samples/db-scrub.sh


    Pierre G. Berryer

    Beaconfire RED

    2300 Clarendon Blvd., Suite 925

    Arlington, VA 22201




    Tech Accelerate

  • 9.  RE: looking for advice: how to securely work with contractor

    Posted Jun 21, 2018 09:49

    On this topic, here are a few tools that may help with cleaning out your user data. I haven't used these myself. Generally the approach would be to create a copy of your site, then apply these tools. DO NOT run them on your live site!


    Drush comes built-in with several commands of this nature. Try the site below and do a search for "sanitize". The descriptions don't seem to be to useful but the commands sound promising.



    The Scrambler module, which has quite low usage but might be a good fit (if it works, etc):



    The Sanitize Framework module looks like a bit of a "use it at your own risk" situation:






    Martin Hansen
    Team Lead, Web Services
    519.725.7875 x2120 | 888.817.3048


    PeaceWorks™ Technology Solutions
    101 - 554 Parkside Drive,
    Waterloo ON  N2L 5Z4


    Mission driven technology solutions





    This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.

    Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.


    Tech Accelerate