Dear All,
A question that is always being asked, but I would like to hear your opinion.
Would you go for Drupal as your web app? Or you might have some security considerations on this regard?
Best regards,
Dana Al-Abdulla
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
Tel:
974-44995387
Fax:
974 4483 9953
Email:
Web:
[cid:b1cd97.png@bf1e7457.4db24885]
PO Box: 24514, Doha, Qatar
The information in this email and any attachments thereto, may contain information that is confidential, protected by intellectual property rights, and may be legally privileged. It is intended solely for the addressee(s). Access to this email by anyone else is unauthorized. Any use, disclosure, copying, or distribution of the information contained herein by persons other than the designated addressee is unauthorized and may be unlawful. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or ictQATAR at + 974 (4) 935 922 or abuse@ict.gov.qamailto:abuse@ict.gov.qa, any views expressed in this email or its attachments are those of the individual sender except where the sender, expressly and with authority, states them to be the views of ictQATAR.
Hello !
Without trooling, secure is drupal as wordpress is secure. Professional
code etc. You can harden the security configuration of your server and/or
you drupal installation but by default, Drupal is a good solution for a CMS
secure "by default".
Well, after that you can have some security problems due to plugins and
other "home made scripts" on you drupal installation and/or server. But by
default, Drupal is good, as Wordpress or other massively used CMS.
Regards,
Félix.
2011/10/30 Dana Al-Abdulla dana@qcert.org
Dear All,****
A question that is always being asked, but I would like to hear your
opinion.****
Would you go for Drupal as your web app? Or you might have some security
considerations on this regard?****
Best regards,****
Dana Al-Abdulla****
**
**
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
**
*Tel: *
974-44995387
*Fax: *
974 4483 9953
**
*Email: *
*Web: *
**
**
PO Box: 24514, Doha, Qatar
**The information in this email and any attachments thereto, may contain
information that is confidential, protected by intellectual property
rights, and may be legally privileged. It is intended solely for the
addressee(s). Access to this email by anyone else is unauthorized. Any use,
disclosure, copying, or distribution of the information contained herein by
persons other than the designated addressee is unauthorized and may be
unlawful. If you are not the intended recipient, you should delete this
message immediately from your system. If you believe that you have received
this email in error, please contact the sender or ictQATAR at + 974 (4) 935
922 or abuse@ict.gov.qa, any views expressed in this email or its
attachments are those of the individual sender except where the sender,
expressly and with authority, states them to be the views of ictQATAR.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Considering you use Drupal core and few most popular modules, it is pretty
secure.
But mainly security issues are related to the configuration of this CMS and
the development of new modules.
Here's a book about that
http://www.amazon.com/dp/0470429038/?tag=stackoverfl08-20
Salam
2011/10/30 Dana Al-Abdulla dana@qcert.org
Dear All,****
A question that is always being asked, but I would like to hear your
opinion.****
Would you go for Drupal as your web app? Or you might have some security
considerations on this regard?****
Best regards,****
Dana Al-Abdulla****
**
**
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
**
*Tel: *
974-44995387
*Fax: *
974 4483 9953
**
*Email: *
*Web: *
**
**
PO Box: 24514, Doha, Qatar
**The information in this email and any attachments thereto, may contain
information that is confidential, protected by intellectual property
rights, and may be legally privileged. It is intended solely for the
addressee(s). Access to this email by anyone else is unauthorized. Any use,
disclosure, copying, or distribution of the information contained herein by
persons other than the designated addressee is unauthorized and may be
unlawful. If you are not the intended recipient, you should delete this
message immediately from your system. If you believe that you have received
this email in error, please contact the sender or ictQATAR at + 974 (4) 935
922 or abuse@ict.gov.qa, any views expressed in this email or its
attachments are those of the individual sender except where the sender,
expressly and with authority, states them to be the views of ictQATAR.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
--------------------------------------------------------------------
Yasser ABOUKIR*
*
Phone: +212 6 69 60 64 82
Visit us: www.yaboukir.com
I agree with Felix' perspective here: most major open source projects
have reasonably good security. Once they get past the initial growth
period and into widespread use on major systems they are likely to
attract people who care enough about security to make the code and
infrastructure changes necessary to meet some basic levels of quality.
There is a white paper at http://drupalsecurityreport.org/ which
attempts to address the question of whether Drupal is "secure enough
for your organization." Disclosure: I'm a co-author.
Regards,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
2011/10/30 Félix Aimé felix.aime@gmail.com
Hello !
Without trooling, secure is drupal as wordpress is secure. Professional code etc. You can harden the security configuration of your server and/or you drupal installation but by default, Drupal is a good solution for a CMS secure "by default".
Well, after that you can have some security problems due to plugins and other "home made scripts" on you drupal installation and/or server. But by default, Drupal is good, as Wordpress or other massively used CMS.
Regards,
Félix.
2011/10/30 Dana Al-Abdulla dana@qcert.org
Dear All,
A question that is always being asked, but I would like to hear your opinion.
Would you go for Drupal as your web app? Or you might have some security considerations on this regard?
Best regards,
Dana Al-Abdulla
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
Tel:
974-44995387
Fax:
974 4483 9953
Email:
Web:
PO Box: 24514, Doha, Qatar
The information in this email and any attachments thereto, may contain information that is confidential, protected by intellectual property rights, and may be legally privileged. It is intended solely for the addressee(s). Access to this email by anyone else is unauthorized. Any use, disclosure, copying, or distribution of the information contained herein by persons other than the designated addressee is unauthorized and may be unlawful. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or ictQATAR at + 974 (4) 935 922 or abuse@ict.gov.qa, any views expressed in this email or its attachments are those of the individual sender except where the sender, expressly and with authority, states them to be the views of ictQATAR.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I would say that Drupal is a notch above other CMS such as Wordpress and
Joomla mainly because of how much secure code reviewing is done on the
plugins.
A search on exploit-db may not give the whole picture, but reasonable part
of it.
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=drupal&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=joomla&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
Cheers,
Hani
2011/10/30 Félix Aimé felix.aime@gmail.com
Hello !
Without trooling, secure is drupal as wordpress is secure. Professional
code etc. You can harden the security configuration of your server and/or
you drupal installation but by default, Drupal is a good solution for a CMS
secure "by default".
Well, after that you can have some security problems due to plugins and
other "home made scripts" on you drupal installation and/or server. But by
default, Drupal is good, as Wordpress or other massively used CMS.
Regards,
Félix.
2011/10/30 Dana Al-Abdulla dana@qcert.org
Dear All,****
A question that is always being asked, but I would like to hear your
opinion.****
Would you go for Drupal as your web app? Or you might have some security
considerations on this regard?****
Best regards,****
Dana Al-Abdulla****
**
**
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
**
*Tel: *
974-44995387
*Fax: *
974 4483 9953
**
*Email: *
*Web: *
**
**
PO Box: 24514, Doha, Qatar
**The information in this email and any attachments thereto, may contain
information that is confidential, protected by intellectual property
rights, and may be legally privileged. It is intended solely for the
addressee(s). Access to this email by anyone else is unauthorized. Any use,
disclosure, copying, or distribution of the information contained herein by
persons other than the designated addressee is unauthorized and may be
unlawful. If you are not the intended recipient, you should delete this
message immediately from your system. If you believe that you have received
this email in error, please contact the sender or ictQATAR at + 974 (4) 935
922 or abuse@ict.gov.qa, any views expressed in this email or its
attachments are those of the individual sender except where the sender,
expressly and with authority, states them to be the views of ictQATAR.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
M. Hani Benhabiles
Twitter: @kroosec
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Agreed. Drupal hit this critical point in the market 3-4yrs ago I think.
Now, they suffer from some of the same issues that hit Joomla, WP, and
others -- plug-in security which Felix touched on.
Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.
The same goes for WP, Joomla, and others as well.
Thanks.
Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)
On 10/31/11 11:59, Greg Knaddison wrote:
I agree with Felix' perspective here: most major open source projects
have reasonably good security. Once they get past the initial growth
period and into widespread use on major systems they are likely to
attract people who care enough about security to make the code and
infrastructure changes necessary to meet some basic levels of quality.
There is a white paper at http://drupalsecurityreport.org/ which
attempts to address the question of whether Drupal is "secure enough
for your organization." Disclosure: I'm a co-author.
Regards,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
2011/10/30 Félix Aimé felix.aime@gmail.com
Hello !
Without trooling, secure is drupal as wordpress is secure. Professional code etc. You can harden the security configuration of your server and/or you drupal installation but by default, Drupal is a good solution for a CMS secure "by default".
Well, after that you can have some security problems due to plugins and other "home made scripts" on you drupal installation and/or server. But by default, Drupal is good, as Wordpress or other massively used CMS.
Regards,
Félix.
2011/10/30 Dana Al-Abdulla dana@qcert.org
Dear All,
A question that is always being asked, but I would like to hear your opinion.
Would you go for Drupal as your web app? Or you might have some security considerations on this regard?
Best regards,
Dana Al-Abdulla
Dana Al-Abdulla
Section Manager - Cyber Security Resiliency
Tel:
974-44995387
Fax:
974 4483 9953
Email:
Web:
PO Box: 24514, Doha, Qatar
The information in this email and any attachments thereto, may contain information that is confidential, protected by intellectual property rights, and may be legally privileged. It is intended solely for the addressee(s). Access to this email by anyone else is unauthorized. Any use, disclosure, copying, or distribution of the information contained herein by persons other than the designated addressee is unauthorized and may be unlawful. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or ictQATAR at + 974 (4) 935 922 or abuse@ict.gov.qa, any views expressed in this email or its attachments are those of the individual sender except where the sender, expressly and with authority, states them to be the views of ictQATAR.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6uz8kACgkQnvIkv6fg9hZARACbBAAHcLA2V1fy8s6Ub61YP4Eb
hokAn13PEo0OIvH7ff2GMUThciUTEgHT
=tBJf
-----END PGP SIGNATURE-----
On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan mike.duncan@noaa.gov wrote:
Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.
The main announcement point for vulnerabilities in Drupal is
http://drupal.org/security
Contributed project vulnerabilities are listed at this sub-tab
http://drupal.org/security/contrib
You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).
I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
project.
Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.
Also, thanks to Yasser ABOUKIR for recommending my book ;)
Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.
Cheers,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
Op 31-10-2011 17:54, Greg Knaddison schreef:
On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncanmike.duncan@noaa.gov wrote:
Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.
The main announcement point for vulnerabilities in Drupal is
http://drupal.org/security
Contributed project vulnerabilities are listed at this sub-tab
http://drupal.org/security/contrib
You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).
I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
project.
Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.
Also, thanks to Yasser ABOUKIR for recommending my book ;)
Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.
Cheers,
Greg
cms-explorer is an up-to-date CMS scanner for problems already found on
some CMS systems
(it handles joomla, drupal, and wordpress, etc).
it can be connected to search api on osvdb which gives all the juice
info about unsafe modules connected
on your site.
and indeed, drupal as-if.. is safe.. it's the modules build by other
people who gives the most problems.
auditing the scripts yourself is the best way, but the longest way ;-)
-neusbeer
As I said, general vulnerabilities sites don't show the whole picture but
they show a fair part of it especially when it comes to non targeted
attacks that the OP seems to be concerned about the most. When it comes to
plugins, I believe that Drupal's central repository and security reviewing
is better.
For Wordpress, you can have a look at this
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/
or some of Miroslav Stamper's work at http://unconciousmind.blogspot.com/
Shows some mass grep and profit. ;)
Btw, Greg Knaddison's book is awesome, a must read for anyone who's
interested in manually reviewing the plugins they use. :)
Cheers,
Hani.
On Mon, Oct 31, 2011 at 5:54 PM, Greg Knaddison
greg.knaddison@acquia.comwrote:
On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan mike.duncan@noaa.gov
wrote:
Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.
The main announcement point for vulnerabilities in Drupal is
http://drupal.org/security
Contributed project vulnerabilities are listed at this sub-tab
http://drupal.org/security/contrib
You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).
I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
project.
Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.
Also, thanks to Yasser ABOUKIR for recommending my book ;)
Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.
Cheers,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec
Looks like everyone has covered the main points - but I'll add from
experience their
security team is both knowledgeable and responsive I can say from
experience. Which
is not something I can say about other PHP frameworks I've dealt with.
Comments in this thread I second:
Many modules issues I've seen are trivially fixed too; they just fail
to do something
simple like call a Drupal FormAPI function that's already there.
Arian Evans
On Mon, Oct 31, 2011 at 12:56 PM, Hani Benhabiles kroosec@gmail.com wrote:
As I said, general vulnerabilities sites don't show the whole picture but
they show a fair part of it especially when it comes to non targeted attacks
that the OP seems to be concerned about the most. When it comes to plugins,
I believe that Drupal's central repository and security reviewing is better.
For Wordpress, you can have a look at this
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/
or some of Miroslav Stamper's work at http://unconciousmind.blogspot.com/
Shows some mass grep and profit. ;)
Btw, Greg Knaddison's book is awesome, a must read for anyone who's
interested in manually reviewing the plugins they use. :)
Cheers,
Hani.
On Mon, Oct 31, 2011 at 5:54 PM, Greg Knaddison greg.knaddison@acquia.com
wrote:
On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan mike.duncan@noaa.gov
wrote:
Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.
The main announcement point for vulnerabilities in Drupal is
http://drupal.org/security
Contributed project vulnerabilities are listed at this sub-tab
http://drupal.org/security/contrib
You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).
I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
project.
Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.
Also, thanks to Yasser ABOUKIR for recommending my book ;)
Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.
Cheers,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org