Posted by drm on February 18, 2008 at 1:58pm
I have been trying to convince a friend who runs a small business with a very static website to switch to Drupal. His impression - and he got the same thing when he asked a friend about it - is that anything which is open source can't be all that secure, because people have access to the source code. I told hime that access to the code isn't so important as encryption, but had to admit it isn't my area of expertise.
Is there anything published on the web, preferably from an independent source, that addresses Drupal and security, particularly from the angle of open source? Any comments form folks here on how secure drupal sites are compared to those that might use a priorietary CMS?
Thanks
Comments
Actually the opposite is true
Open source projects are generally considered much more secure than their private, closed counter parts, precisely because the code is public. While it does allow hackers to review code for weakness, it also allows everyone else to do the same, and when an issue is found, it allows the almost immediate release of a fix by someone in the community. Look at both the real and perceived security of the standard Linux distro vs. Microsoft. There's a reason (besides performance!) why almost all mission critical web servers run Linux.
All software has weaknesses. As they say, security is not a feature, but a process. It's not perfect, but Drupal has an excellent security rep. When issues with the core or contributed modules are found, a fix is usually posted the same day. There is a mailing list to keep you apprised of these updates.
See:
http://drupal.org/security
http://drupal.org/security-team
Don't know of an independent audit, but the software is used for some large scale sites that should be concerned about security, like:
http://www.amnesty.org/
http://www.dead.net/
http://warnerbrosrecords.com/
http://www.popsci.com/
http://www.fastcompany.com/
http://www.theonion.com/
http://witness.org/
Hackers don't single out open source vs. proprietary software - they look for large installed user bases (to be able to reuse hacks). So maybe the thing to do would be to pick a less popular CMS ;-). Security flaws are not usually found by combing lines of code, but by testing for known design flaws.
If your client is interested in security, it's not the software choice that matters, but the choice of developer. The most secure software in the world is often compromised by poor installation and maintenance methods.
Given enough time and
Given enough time and patience, a skilled attacked can find flaws in almost any piece of software. Security isn't about keeping bad folks out so much as it is about making you a more difficult and less appealing target than someone else.
You're most at risk when you're running any out-of-date version of a popular piece of software. Of course, even being up-to-date won't help in the case of a "zero-day" exploit -- i.e., a vulnerability which gets exploited in the wild before a patch is available -- in which case you just have to count on being lucky.
I think that Drupal is better off than some open source packages purely because it has addressed some serious vulnerabilities in the past, and therefore the core team is aware of some of the most common attack vectors. I certainly trust it more than any closed-source competitor, because whenever a vulnerability is discovered, I can verify with my own eyes where in the code it is, what the scope of the vulnerability will be, and whether a released patch does in fact solve the problem.
If your friend is going to be doing this without any ongoing support from a web development professional, though, he might want to consider sticking with client-side tools to create his content. Some of the latest applications like iWeb and Adobe Contribute are actually pretty good at generating rich, standards-compliant HTML, and if you don't need online transaction processing, (or can host that somewhere else, like Yahoo! Stores) there's nothing more secure than static HTML files sitting on a web server.