ergophobe - 5:09 pm on Feb 7, 2008 (gmt 0)

RE Security, there are pros and cons to a popular open-source package

cons
- large user base makes an appealing target
- obvious code signatures make it targetable
- third-party modules often have lax code review

pros
- fixes usually come out very quickly.
- the large user base means a gigantic testing base, meaning that a higer percentage of security holes actually get found than would be the case with a script running just on your site. Think about Apache versus IIS or Linux versus Windows. Open source does not automatically make it less safe (or more).

misc observations

This is based mostly on my experience with drupal (though I have played with several others - xaraya, dragonfly, modx, joomla).

- the security holes lately tend to be related to xml-rpc (and thus AJAX features). A few years ago, it was all about SQL injection, and most CMS came up with coding standards to stop that, but now that AJAX is the new thing and a lot of developers don't know how to lock down their code, that tends to be source of problems.

- third-party modules are particularly a problem. The core package usually gets pretty good review, but anyone can turn out a module and make it available for download with no review at all. For every 10 security notices I get on the drupal security list, I would say only 1 actually pertains to core or a module I have installed. So Expression Engine touts that they have far fewer security notices than Drupal, but it's not really a fair comparison. The fair comparison would be to core and core modules, where the security problems are way lower.

- you can protect yourself from some of the annoyance problems (contact form spam and comment spam) simply by changing the code signature in the template.

One final thought - at least in theory, the time you save on coding from scratch could be spent on hardening the code. Submit your findings and fixes to the community, and now the whole package is safer from everyone and less of a target.