How can I stay informed about Drupal security updates?
Staying on top of updates to Internet software is a big responsibility. It's critical to the security of your website and yet can take a lot of time. The traditional advice about updates is to subscribe to the updates mailing list: that works well for most projects.
For broad software projects like Drupal, however, that advice is increasingly unmanageable. Drupal update emails cover not just Drupal core, but also many of the contributed modules, themes, and distributions available on drupal.org —over 20,000 of them. Any individual website may have 50, 100, or more. So, if you sign up to get emails about security issues across 20,000 modules and you only care about 200 of them, the chances of getting a message about a module you don't need are very high.
Here are some ways you can receive updates; see which one is the best for you.
Enable the Update core module with security focused settings (configured at Administration > Reports > Available Updates)
It's a focused report to your needs on your website.
It can be sent to multiple inboxes, including a ticketing system or support team.
This relies on the cron mechanism. In Drupal 7, you can either set up cron to run on your server (for example, using crontab), or it runs using the so-called poor man's Cron, which runs periodically after a page visit by a website visitor. If Cron isn't working, this won't work for you.
If email from your server isn't working, then this report won't be delivered to you.
It can negatively impact performance. We recommend using it on test environments because the production server shouldn't need to spend time and resources on polling drupal.org.