[WEB SECURITY] How secure is Drupal?

Greg Knaddison greg.knaddison at acquia.com
Mon Oct 31 11:59:15 EDT 2011 

I agree with Felix' perspective here: most major open source projects
have reasonably good security. Once they get past the initial growth
period and into widespread use on major systems they are likely to
attract people who care enough about security to make the code and
infrastructure changes necessary to meet some basic levels of quality.

There is a white paper at http://drupalsecurityreport.org/ which
attempts to address the question of whether Drupal is "secure enough
for your organization." Disclosure: I'm a co-author.

Regards,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

2011/10/30 Félix Aimé <felix.aime at gmail.com>
>
> Hello !
>
> Without trooling, secure is drupal as wordpress is secure. Professional code etc. You can harden the security configuration of your server and/or you drupal installation but by default, Drupal is a good solution for a CMS secure "by default".
>
> Well, after that you can have some security problems due to plugins and other "home made scripts" on you drupal installation and/or server. But by default, Drupal is good, as Wordpress or other massively used CMS.
>
> Regards,
>
> Félix.
>
>
> 2011/10/30 Dana Al-Abdulla <dana at qcert.org>
>>
>> Dear All,
>>
>> A question that is always being asked, but I would like to hear your opinion.
>>
>> Would you go for Drupal as your web app? Or you might have some security considerations on this regard?
>>
>>
>>
>> Best regards,
>>
>> Dana Al-Abdulla
>>
>>
>>
>>
>>
>> Dana Al-Abdulla
>>
>> Section Manager - Cyber Security Resiliency
>>
>> Tel:
>>
>> 974-44995387
>>
>> Fax:
>>
>> 974 4483 9953
>>
>> Email:
>>
>> dana at qcert.org
>>
>> Web:
>>
>> www.qcert.org
>>
>> PO Box: 24514, Doha, Qatar
>>
>> The information in this email and any attachments thereto, may contain information that is confidential, protected by intellectual property rights, and may be legally privileged. It is intended solely for the addressee(s). Access to this email by anyone else is unauthorized. Any use, disclosure, copying, or distribution of the information contained herein by persons other than the designated addressee is unauthorized and may be unlawful. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or ictQATAR at + 974 (4) 935 922 or abuse at ict.gov.qa, any views expressed in this email or its attachments are those of the individual sender except where the sender, expressly and with authority, states them to be the views of ictQATAR.
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>

More information about the websecurity mailing list