Tech Coast Angels home page

Tech Coast Angels is the largest angel investment organization in the United States. With over 300 members throughout Southern California, Tech Coast Angels' members have invested over $120 million in over 200 startup companies since their inception in 1997.

Since 2013, Exaltation of Larks has been working with Tech Coast Angels with their online systems, including an extensive Drupal web application that their members use as a deal flow tracker and document management system. Services we’ve provided include support, maintenance, security improvements, performance optimization, and mobile integration.

The web application that Tech Coast Angels uses allows its members to view startup companies' applications for funding, discuss each company's application, and collaborate with one another in researching each company, which then helps them make individual decisions on funding.

Why Drupal was chosen: 

Tech Coast Angels was using Drupal before we came on the project. We see why they chose Drupal: there are several specific areas of the website project for which Drupal is an excellent fit. These areas include: user authentication, account management, roles and access control, custom dashboards, complex web forms for membership and funding applications, workflow management, and email notifications.

Describe the project (goals, requirements and outcome): 

TCA investment graph

PERFORMANCE

Exaltation of Larks began this project with a site audit to evaluate the quality and maintainability of the existing Drupal web application and server environment, with a focus on performance optimization and general best practices.

During the site audit, we found Drupal and several contributed modules had been modified from their original versions, which made feature development and regular maintenance such as updates much more complicated. Many of the modules were out of date and required security updates. Several modules were unversioned “development" versions, which made it more difficult to tell if updates were available and if applying any updates would break existing functionality.

With a go-ahead from Tech Coast Angels, we then performed a more in-depth review, which unearthed further security and misconfiguration issues to both the Drupal site and the server environment. We documented them and helped Tech Coast Angels prioritize which ones to tackle first.

First, we brought the modified codebase that had outdated versions — and unversioned development releases — back into mainstream Drupal core and contrib releases.

TCA Mobile AppMany of the upgrades had to do with memory usage and resource management. Page load times were close to a minute for some pages that had thousands of queries. We focused on refactoring some of the code without loss of existing functionality. We moved a lot of the configuration from content-types and views into code using Features. We migrated the website to a current LAMP environment, which included upgrading MySQL from 5.1 to 5.5, which has many performance and memory management improvements. We adjusted MySQL cache parameters to improve performance, and reconfigured both MySQL and Apache to dramatically reduce memory usage, including configuring Apache to use far fewer modules than the original server had been using.

All web hosting is provided by Amazon Web Services (AWS), for which Exaltation of Larks is a delivery partner and infrastructure consultant. We configured the production server to be much more efficient so there was plenty of memory and CPU capacity in case of traffic spikes. The new EC2 server was optimized for more IO operations per second, which substantially reduced overall system latency. Extra costs for the heavy utilization server were easily offset by purchasing a reserved instance.

Performance improvements we made to both the Drupal application and the server environments significantly drove down costs by reducing the hardware requirements necessary to run the Drupal codebase in both staging and production environments.

Security

We also worked on the security issues. There were two types of improvements needed: quick fixes and larger upgrades. Quick fixes to the Drupal web application included enabling Views caching and turning off unneeded modules on the production server. Among these modules were Locale, Devel, and String Overrides.

When initially working with the codebase, we found that it was an exceptionally complicated web application using several forms of access control for nodes, fields, menus, and groups. We used the ACL module to make them all play well together.

Other security upgrades included configuring file permissions so that Apache could not write to Drupal's PHP files; adding SSL and making it mandatory for all connections; responding to and addressing the Heartbleed vulnerability; and using MySQL accounts with the least necessary privileges for accessing MySQL databases. We also implemented a secure backup strategy that transfers site backups to Amazon S3.

Mobile App

Tech Coast Angels also enlisted Exaltation of Larks to help them create an iPhone app. We worked closely with their mobile developers: our task was backend integration. This presented an interesting challenge: Tech Coast Angels’ website used Drupal 6, but the Services module, which provides data in a format that a smartphone app could read, had been discontinued since its maintainers focused their efforts on versions for Drupal 7 and Drupal 8.

We decided to backport the Drupal 7 security fixes and new REST server features in the Services module to the Drupal 6 version. Working with Tech Coast Angels’ mobile application developer team, we used this backported version of Services to create an API that exposed the appropriate data to their iPhone app.

In the future, Exaltation of Larks and Tech Coast Angels plan to work together on a site redesign and an upgrade to Drupal 7. We continue to work with Tech Coast Angels on ongoing feature development and provide support and maintenance services.

Modules/Themes/Distributions
Why these modules/theme/distribution were chosen: 

Services: We used the Services module to provide data in a format that Tech Coast Angels' new smartphone app could read. Tech Coast Angels' website, however, used Drupal 6, and the Services module had been discontinued for this version of Drupal. We backported large parts of the Drupal 7 version of Services to Drupal 6, and have been using that version of the module to serve data to Tech Coast Angels' mobile app.

PHP Filter Lock: This module was included in a comprehensive security package we delivered to our customer. This is a custom module that we used for this customer and contributed to Drupal.org. Drupal development best practice is to forgo using the core PHP Filter module. When we perform site audits, we always recommend extracting any PHP code used by PHP Filter and moving it into custom modules so that it's in the codebase and not the database. Unlike the Paranoia module, which forcibly disables the PHP Filter module (thereby breaking existing functionality), the PHP Filter Lock module mitigates the risk of CSRF and XSS attacks by placing PHP code found found in nodes, blocks, views, etc., in quarantine and preventing the contents of those text fields from being editable. The Paranoia module was our first choice for this requirement, but using it would have prevented the PHP Filter module from being used at all, thereby breaking the existing functionality unless there was adequate time and budget for refactoring and testing.

Alternative PHP Cache (APC) and proper APC configuration: On the server, APC was installed but incorrectly configured. This module can help speed up the site, but it needs to be set up properly - a site will actually slow down if it's not correctly configured. We fixed the configuration.

PhPass: We used this module to increase security by salting passwords. Salt is built into Drupal 7, but not Drupal 6.

Features: We used Features to move a lot of the configuration from content-types and views into code.

ACL: We used the ACL module to manage several forms of access control for nodes, fields, menus and groups, and make them all function well together.

Organizations involved: 
Community contributions: 

Our custom PHP Filter Lock module is available to the Drupal community. We're working to have our Drupal 6 backport merged with the official Services module.

Team members: 
Project team: 

Other organizations involved:
Tech Coast Angels

Other team members:
Mike Panesis – Tech Coast Angels Board of Governors: Chairman

Over time, as many as 9 members of Exaltation of Larks have worked on this project. Our team was made up of a lead project manager, a backup project manager, an account manager, several senior developers, a system administrator, and a tech lead.

TCA Membership Application
TCA Portfolio
TCA Registration

Comments

svnindia’s picture

Hi Team,

I would like to Know the reason behind, Why Drupal 6 Choosen !

Thanks in Advance,
SVNindia

svnindia

scor’s picture

We decided to backport the Drupal 7 security fixes and new REST server features in the Services module to the Drupal 6 version.

Any plan to contribute those backports to the community?