# 2025 Guide to Drupal Security and Maintenance, on Acquia ## 1. What Acquia Secures for You - **Hosting & Network** - Server patching and hardening - WAF, CDN, and DDoS protection (Akamai) - Daily backups and disaster recovery - **Compliance** - SOC 2, ISO 27001, HIPAA (Shield), FedRAMP - **Drupal Tools** - Acquia Security Scanner (misconfiguration checks) - Acquia Insight (health and update status) Acquia handles the **platform**. Our team focuses on the **application**. ## 2. What a Great Dev Team Delivers ### Security - **Dependency Checks**: Snyk, Dependabot, drupal-check - **Code Quality**: PHPStan (with Drupal extensions) - **Dynamic Testing**: OWASP ZAP (staging), Burp Suite (manual pen testing) - **Hardening**: Role/permission audits, MFA/SSO enforcement, Security Review module ### Maintenance - **Patch Management**: - Weekly review of core & contrib updates - Apply security updates within 24–48 hours - **Configuration Management**: - Use Config Split/Ignore for environment safety - **Performance Care**: - Database optimization, caching checks, frontend audits ### Ongoing Monitoring - **New Relic APM** – runtime performance & anomaly tracking - **Acquia Cloud Hooks** – automated checks post-deploy - **Quarterly Audits** – scans with ZAP & Security Scanner - **Annual Pen Test** – third-party validation ### Reporting & Governance - **Monthly Reports**: Security updates, uptime, incidents - **Quarterly Reviews**: Performance, SEO impact, security posture - **Training & Policies**: Keep internal teams up-to-date ### The Workflow **Code → Build → Deploy → Monitor** - Code: Snyk, Dependabot, PHPStan, drupal-check - Build: Automated ZAP scans in staging - Deploy: Acquia Security Scanner, Cloud Hooks - Monitor: New Relic, quarterly audits, annual pen tests ## Summary On Acquia, **infrastructure security is handled**. Our dev team adds value by: - Staying on top of **Drupal updates & patches** - Running **continuous code and config security checks** - Providing **clear reporting & proactive maintenance**