Drupal security from the outside

Submitted by Frederic Marand on Mon, 2008-02-04 23:54

The OSInet team recently attended Solutions Linux, a trade fair focused on FLOSS, and while chatting with a sales engineer from a company specialized in Typo3, got asked which CMS we used, and of course answered "Drupal".

At that point, that person flinched somehow, acknowledging that Drupal was indeed one of the "Big 3" in the CMS space, along with Typo3 and Joomla, but was plagued with security issues making it rather unfit for professional deployment, as opposed to Typo3, which took security issues seriously. Continuing the discussion, it appeared that company has indeed at least acquired some Drupal knowhow too, due to customer request, but the person doing the criticizing was not directly familiar with Drupal.

Now, skipping over the fact that criticizing competing products is usually not a sound business practice, and maybe even less so in the FLOSS ecosystem, I wondered why this angle of attack had been chosen against Drupal, and I did some comparisons.

Drupal Joomla Typo3
Security team page ? Security page no page found with either internal search engine or google Security team section
Feeds/mailing lists security announcements page (has feed) A forum for 1.0 On the general announcement list
Policy policy page no page found with either internal search engine or google. policy page
Secunia tracker Drupal Joomla Typo3
Security forum no dedicated forum two forums: one for 1.0, the other for 1.5 no dedicated forum
Google stats
security site:<site> 31900 33200 3050
site:<site> 452000 284000 121000
Ratio 7% 12% 3%

So it seems Drupal and Typo3 have chosen rather similar ways of dealing with security issues, while Joomla chose to use forums for the same purpose. FWIW, the same ratio for microsoft.com is 536k/31M = 2%, much closer to Typo3's ratio than to the higher numbers featured by Drupal and Joomla.

The comparatively low appearance of "security" on Typo3's main site, and the very low number of security issues reported by Secunia for Typo3 might be the root of this "unsafe" assumption made by some salespersons about Drupal. However, this might also point to a development process being either less active or conducted in a more "closed" fashion: such blades are always double-edged.

When a sales guy flinches, you need to be careful. Negotiators are actually trained to flinch, visibly or audibly, whenever you make an offer, no matter what the offer is. (Read Secrets of Power Negotiating, a rather entertaining book.) No doubt the same trick works in sales.

What I see here is that a completely non-neutral party -- a competitor, an actual salesperson for Typo3 services -- made one flinch, plus one random unsupported statement about Drupal security, and managed to get you so worried that you were driven to do a bunch of research and blogging. Your research is valuable and informative -- thanks for doing it! -- but the fact that you felt compelled to do it indicates that the FUD mission has been accomplished. IBM in its heyday could not have done better.

Of course a marketer will tell you that your competing product is insecure, that it costs more and takes longer to deploy, that it's going to be bought by Microsoft and discontinued, that it requires expensive hardware, and that its popularity is on the decline. So I'd hold out for an actual, detailed explanation of Drupal's engineering or marketing failings -- preferably from an actual customer -- before losing any sleep over this incident. In the meantime, I'm thinking that the correct thing to say when someone says "Drupal is less secure than Product X" is something like "well, that's odd -- Drupal security has been pretty good ever since the Security Team started reviewing as many of the submitted modules as possible. Which aspect is insecure?" The secret is to (a) suggest that the facts are always changing and maybe this guy's info is hopelessly out of date and (b) make him get specific if he wants to allege something.

As to why he chose this angle of attack: security problems are real, easy to allege, hard to disprove, and scary. If the guy claims that the problem with Drupal is that it lacks Feature X, there's the risk that he's wrong, or that some Drupal developer will implement Feature X next week and make him wrong. There is no risk of being wrong when you claim that Drupal, or any given computer program, contains some kind of security flaw, somewhere, somehow.

Hi, thanks for the comparison.

A couple of notes.

  1. Drupal lists the 27 members of it's security team publicly. http://drupal.org/security-team We believe that knowing who the members of the security team add to the transparency of the security process.
  2. The Drupal security team recognizes that managing security for 2500 extensions can lead to a lot of security reports and give the appearance that it is insecure. We hope that ultimately people choosing a CMS will recognize that it means security is taken seriously.
  3. The Drupal security team makes announcements, has a feed, and has thousands of subscribers to it's security newsletter.
  4. Drupal includes automated update notification in Drupal 6 and has an extension for update notifications in Drupal 5.
  5. Drupal provides security education documentation: http://drupal.org/writing-secure-code
  6. A report summarizing Drupal security issues in 2007 has been written and is listed on the security team page. It summarizes improvements and recommendations.
  7. Drupal routinely under goes security reviews and reports are given to the Drupal security team. We have reason to be proud of our record.
  8. Real life Security team meetings occur twice annually at the Drupal conferences. Otherwise, we have a private channel and private mailing list, both of which are very active discussing security issues. Our team members also present on Drupal security topics at regional events.

Cheers, Kieran Lal Drupal Security team coordinator

Thanks for the comment. Actually, I think I my not have shown correctly what my preoccupation was in that case (plus I only mentioned part of the discussion): it is not about actually drupal security which, as a rather long-time contributor already I know is well managed, like Kieran detailed. It is rather why someone working in the Open Source CMS space chooses this rather non-obvious angle of attack, because it might spread elsewhere if the visible part of our security methods is not obvious enough.

So I checked the visible parts of the security process of these other big two CMS, to see how new potential users would see it when first looking for information at the "which CMS should I choose" stage, in order to identify whether we had a visibility/communication problem regarding our security process.

The comparison in that case is striking: although there are obvious differences in the actual site pages, communication about security is very similar at Typo3 and Drupal, while Joomla apparently chose an entirely different way inform about security workings: no visible security section on the main site, and user-level security discussions in two forums.

Whenever I get the flinch (or the S question) I tell my prospects the next story that happened about half a year ago.

I created a community portal for a startup which was very concerned by security, they had a single sign on between their .net application to the drupal community site and where very aware about security issues.
Before the launch they issued an external scan of the system which found several flaws - most related to apache misconfiguration but one of the alerts was related to a cross scripting exploit which was related to the search functionality.
I felt "oh so very important" as I posted "I think I uncovered a security issue.." in the #drupal.
It took around 2 minutes for 3 very esteemed drupal rockstars (I think i recall mosh and chx I'm not sure) to invite me to the security channel and start cross interrogating me about what and how was installed the turnover time was crazy.
To my much embarrassments I was sure I upgraded to the last drupal version back then (I think it was 5.1) and I didn't I felt really crap about wasting these people's time (but hey - now I have a good story to tell me customers).

Now in this point I simply ask the customer if he is aware of companies or business communities that could give you a 2 minute SLA, when you talk not to first tier support and "enjoy" 4 days of escelations until (and if) you get to speak to someone like chx or moshe.

When they ask me how come this happens then I simply say that this is because these people "care" they are proud about their joint brainchild and defend and nourish it.
I'm sure the typo3 guys (and joomla) care as well but the MS and other corporate world are PAYED to care and that isn't really the same thing.
I'm always amazed about the power of open-source and how professional-pride (and some spectular egos sometimes) can make such a difference.
I need to fish up the logs for that one but proven and documented IRC latency examples could be a very effective tool to pass the point.