[WEB SECURITY] How secure is Drupal?

Greg Knaddison greg.knaddison at acquia.com
Mon Oct 31 12:54:30 EDT 2011

On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan <mike.duncan at noaa.gov> wrote:
> Keep your plug-ins to a minimum and you should be good. However, most
> plug-ins do not go through the same security checks that Drupal goes
> through -- you should audit them closely or at very least use
> SecurityFocus or something else to search for recent vulnerabilities for
> each.

The main announcement point for vulnerabilities in Drupal is

Contributed project vulnerabilities are listed at this sub-tab

You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).

I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal

Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.

Also, thanks to Yasser ABOUKIR for recommending my book ;)

Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.


Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggleshttp://acquia.com

More information about the websecurity mailing list