|Drupal: how safe is it? critical task here|
Putting Drupal to the test? any experiences?
| 11:40 pm on Dec 19, 2013 (gmt 0)|
I always choose Drupal over any other CMS for many reasons that I have posted on the forum other times. It's safer, no discussion about it. There was a thread around discussing WP and Drupal, I'm not against WP... but I wouldn't build something this critical on WP unless I hosted it on WP servers... well to the point: I posted there that security comparisons between the two are useless if you don't take in count the mission, if it's critical or not.
Take per example building a website for a friend selling widgets, WP or Drupal won't really matter that much. But what about building a site for a big newspaper? I did, several times. Public sites like those are subject to many hacking attempts per week if not per day. Security depends on many diff factors: network, firewall, keys, etc and the cms itself.
The task, the context. I'm facing a potential scenario here for a project. More than happy? nope, more than happy I feel concerned about the task. It's about an entity (at country level) that manages LOTS of public information stored privately or course, they want to rebuild their system due to many issues including security and targeting diff platforms, including diff devices and destinations such as managers, clients, general public etc on smartphones, tablets and computers.
They built the system (the old one) on good technology and database but the security is as effective as the coder. You can't just say .net or asp are better than php just because... So, back to the topic I'm wondering about using Drupal to host all that data... keeping it secure while pretty sure facing several attacks per month.
I never faced a problem or hacking scenario on the sites I built for a newspaper, like 3K to 5K uniques per day running on Drupal for over two years and counting. Sure I could code everything from zero, I made a few CMS myself but this is very specific, and I wouldn't like to invest too much time on security routines instead of working with the data already, something as strong as drupal would take care of many of those security tasks.
I know big corporations and sites use Drupal for their projects, I know. I just would like more opinions on that. Thanks in advance.
| 11:50 pm on Dec 19, 2013 (gmt 0)|
Well, the best thing I can say is that the official Whitehouse website is created in Drupal. That speaks volumes.
| 11:53 pm on Dec 19, 2013 (gmt 0)|
I've spouted off on this enough, so I'll let others chime in. I will simply say that I do think Drupal takes security more seriously than other major open-source CMS.
I think Drupal core is very secure and so are major modules that are closely watched. The more you start using obscure modules, the more you open yourself up.
It's a bit out of date, but I do recommend the Cracking Drupal book. Also I mentioned this in the WP thread, but here's a good article on securing the stack
It would be great if you would post back ith other resources as you "explore" this!
Not to give a false sense of security by using a checklist, but I do like to run this on a site before it goes live
Some baked in hardening
Then of course the Secure Pages module and the Secure Pages Hijack module.
| 1:42 am on Dec 20, 2013 (gmt 0)|
|the official Whitehouse website is created in Drupal. That speaks volumes. |
Sure, but on what subject? For all we know, they may have been under a legal mandate to accept the lowest bid.
:: looking vaguely around for g1 before remembering this isn't the apache subforum ::
| 1:50 am on Dec 20, 2013 (gmt 0)|
I've seen some of the folks behind whitehouse.gov speak. They do a fair bit of non-drupal work too and try to choose the right tool for the job.
Still, whitehouse.gov and weather.com (latest "big" site to go Drupal) don't have sensitive information that would be really bad if it got out. So I'm not sure size is the best indicator.
The large amount of VC money that has gone into the Drupal Commerce project, however, suggests that someone with deep pockets thinks it's a good platform for e-commerce. That may be a better measure.
As in the WP discussion, though, nothing is truly secure (ask Target who announced today that 40,000,000 credit cards were compromised when their in-store, hardware-based credit card reader system was hacked and all numbers flowing in and out were compromised).
[edited by: ergophobe at 2:25 am (utc) on Dec 20, 2013]
| 2:11 am on Dec 20, 2013 (gmt 0)|
travelin cat: thanks, yes I know other big projects also use Drupal. Is funny because I trust Drupal a lot but this project makes me nervous. There is nothing bullet proof but given the choice opportunity, any problem can be blamed on (don't know the exact words to explain the event)
Lucy24: yes it says a lot on security. Yes you are right on the budget but being the white house website it has been exposed to several threats each day, that's what says a lot. Per example, the websites I built on Drupal for one big newspaper are there working fine without generating problems to the techs, while the rest built on WP having 1/3 to 1/7 of the traffic of those websites gives a lot of headache.
ergophobe: thanks for the info and links, I'm reading the first one already and will be reading the rest one after the other. I'm confident on the stability of Drupal but there are projects that demand second considerations before getting hands on.
| 11:50 pm on Dec 20, 2013 (gmt 0)|
For what it is worth, submitting a new module to Drupal requires a coding standard much more specific than all other CMS.
Of our clients providing online cources and tuition, the preferred CMS are Drupal and Moodle (also finely scrutinised).
| 12:31 am on Dec 21, 2013 (gmt 0)|
still reading, this was among the previous links:
Building and securing goverment drupal sites
| 2:05 am on Dec 21, 2013 (gmt 0)|
Done: good reading, thanks for the links!
| 6:11 pm on Dec 23, 2013 (gmt 0)|
If Drupal is safe why do they always find more security problems that need updates ?
| 11:04 pm on Dec 23, 2013 (gmt 0)|
If Linux is safe, why do they always find things that need security updates [debian.org] (19 so far for December, 2013 for Debian, which is one of the more stable and secure distros)?
If Windows is safe (which I believe Win7 and Win8 are, relatively speaking), why do they always need security updates? (No link because, really, does anyone need proof of that).
If Mac OS is safe, why do they always need security updates [support.apple.com]?
If hard-wired credit card terminals are safe, why did Target just divulge 40,000,000 customers' credit card information?
Same for Flash, Java, Adobe AIR, Firefox, Chrome and a zillion other things that are constantly being patched for security reasons.
Nothing is *safe* in the sense that it is without risk.
One thing I like about Drupal is there is, in my opinion, more active reporting than many other CMS.
You can't base the safety of an app on the number of security reports and fixes. It's a worthless metric.In other words, answer me this question. Which is safer:
Application A is three years old and has had 30 known security holes discovered and patched
Application B three years old and has had three known security holes discovered and patched
Is A 10x worse than B or 10x better? Based on the information released, you can't say.
| 12:24 am on Dec 24, 2013 (gmt 0)|
|If Drupal is safe why do they always find more security problems that need updates ? |
that can be interpreted and answered in many ways:
Drupal has diff levels of security/update warnings, only one category is critical. You can ignore many of the warnings and still have your site going for years. Yes, it depends on the modules/plugins one is using and there is a log (to say something) on how others are experiencing their website stability with those modules on.
I had one install with many features on and the updates were annoying but the site never had a problem, and yes I could ignore (and in fact did ignore) some of the non critical warnings. The experience was very positive compared to the other webmasters CMSs, most of the times they discovered a problem thanks to the problem itself, not due to a warning update notice.
IMHO is more important to see how many rants one can find due to several websites falling down thanks to bugs or security problems on forums complaining about it, than update notices. One does not goes parallel to the other.
| 9:58 pm on Dec 28, 2013 (gmt 0)|
Are they actually security problems that are being updated?
We develop CMS inhouse as online shopping portal and member access systems and they are constantly evolving as new features are added. Needless to say that over a decade the earlier versions are very different to those of today.
But we have never had to "upgrade security" because the first versions were as secure as today, ie: no weaknesses were introduced by careless coding.
Even with an OS, in most cases you will find that updates are necessary to patch recent updates that added new features, ie: updates that introduced weaknesses.
| 10:27 pm on Dec 28, 2013 (gmt 0)|
|that manages LOTS of public information stored privately or course, they want to rebuild their system due to many issues including security and targeting diff platforms, |
Drupal does have high scores for security, but what about the above? Is that data to be migrated into Drupal, or will it be accessed by Drupal? If the latter, that's the potential sccurity risk during the share process.
| 4:18 pm on Jan 9, 2014 (gmt 0)|
I agree Kendo.
Tangor, the data will be migrated to Drupal, "they" are still unsure on what to do, they are familiar with Drupal as Wordpress but can't understand those are very diff tools. The problem I see is pretty sure will move forward to creating the databases and pages code line by line... that sucks, I mean creating the app for the specific scenario is one thing but creating something that requires lots of security layer because it will have lots of public access doesn't sound good, they should stick to a tool that already took care of that. In the opposite scenario I would step out.