[WEB SECURITY] How secure is Drupal?
greg.knaddison at acquia.com
Mon Oct 31 12:54:30 EDT 2011
On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan <mike.duncan at noaa.gov> wrote:
> Keep your plug-ins to a minimum and you should be good. However, most
> plug-ins do not go through the same security checks that Drupal goes
> through -- you should audit them closely or at very least use
> SecurityFocus or something else to search for recent vulnerabilities for
The main announcement point for vulnerabilities in Drupal is
Contributed project vulnerabilities are listed at this sub-tab
You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).
I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.
Also, thanks to Yasser ABOUKIR for recommending my book ;)
Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
More information about the websecurity