Hello !

Without trooling, secure is drupal as wordpress is secure. Professional
code etc. You can harden the security configuration of your server and/or
you drupal installation but by default, Drupal is a good solution for a CMS
secure "by default".

Well, after that you can have some security problems due to plugins and
other "home made scripts" on you drupal installation and/or server. But by
default, Drupal is good, as Wordpress or other massively used CMS.

Regards,

Félix.

2011/10/30 Dana Al-Abdulla dana@qcert.org

Considering you use Drupal core and few most popular modules, it is pretty
secure.

But mainly security issues are related to the configuration of this CMS and
the development of new modules.

Here's a book about that
http://www.amazon.com/dp/0470429038/?tag=stackoverfl08-20

Salam

2011/10/30 Dana Al-Abdulla dana@qcert.org

--
--------------------------------------------------------------------
Yasser  ABOUKIR*
*
Phone:  +212 6 69 60 64 82
Visit us:  www.yaboukir.com

I agree with Felix' perspective here: most major open source projects
have reasonably good security. Once they get past the initial growth
period and into widespread use on major systems they are likely to
attract people who care enough about security to make the code and
infrastructure changes necessary to meet some basic levels of quality.

There is a white paper at http://drupalsecurityreport.org/ which
attempts to address the question of whether Drupal is "secure enough
for your organization." Disclosure: I'm a co-author.

Regards,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

2011/10/30 Félix Aimé felix.aime@gmail.com

I would say that Drupal is a notch above other CMS such as Wordpress and
Joomla mainly because of how much secure code reviewing is done on the
plugins.
A search on exploit-db may not give the whole picture, but reasonable part
of it.

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=drupal&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=joomla&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Cheers,
Hani

2011/10/30 Félix Aimé felix.aime@gmail.com

--
M. Hani Benhabiles
Twitter: @kroosec

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. Drupal hit this critical point in the market 3-4yrs ago I think.
Now, they suffer from some of the same issues that hit Joomla, WP, and
others -- plug-in security which Felix touched on.

Keep your plug-ins to a minimum and you should be good. However, most
plug-ins do not go through the same security checks that Drupal goes
through -- you should audit them closely or at very least use
SecurityFocus or something else to search for recent vulnerabilities for
each.

The same goes for WP, Joomla, and others as well.

Thanks.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)

On 10/31/11 11:59, Greg Knaddison wrote:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6uz8kACgkQnvIkv6fg9hZARACbBAAHcLA2V1fy8s6Ub61YP4Eb
hokAn13PEo0OIvH7ff2GMUThciUTEgHT
=tBJf
-----END PGP SIGNATURE-----

On Mon, Oct 31, 2011 at 10:41 AM, Mike Duncan mike.duncan@noaa.gov wrote:

The main announcement point for vulnerabilities in Drupal is
http://drupal.org/security

Contributed project vulnerabilities are listed at this sub-tab
http://drupal.org/security/contrib

You can also get notifications about just the out-of-date plugins
installed on your site from directly within Drupal using it's update
feature (which is enabled by default).

I agree it's worthwhile to monitor something like SecurityFocus as
well in case there are announcements outside of these channels, but
the first step is the announcement channels that come from the Drupal
project.

Hani Benhabiles suggests a method to compare vulnerability counts as a
way to know which project is more secure. I think this can lead to a
lot of false conclusions and do not consider it a complete or
particularly valid comparison process.

Also, thanks to Yasser ABOUKIR for recommending my book ;)

Disclosure: I'm a member of the Drupal Security Team and obviously
very invested in it, so if anything I say seems overly "pro-Drupal"
please let me know or provide a counter-perspective.

Cheers,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

Op 31-10-2011 17:54, Greg Knaddison schreef:

cms-explorer is an up-to-date CMS scanner for problems already found on
some CMS systems
(it handles joomla, drupal, and wordpress, etc).
it can be connected to search api on osvdb which gives all the juice
info about unsafe modules connected
on your site.

and indeed, drupal as-if.. is safe.. it's the modules build by other
people who gives the most problems.

auditing the scripts yourself is the best way, but the longest way ;-)

-neusbeer

As I said, general vulnerabilities sites don't show the whole picture but
they show a fair part of it especially when it comes to non targeted
attacks that the OP seems to be concerned about the most. When it comes to
plugins, I believe that Drupal's central repository and security reviewing
is better.

For Wordpress, you can have a look at this
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/
or some of Miroslav Stamper's work at http://unconciousmind.blogspot.com/
Shows some mass grep and profit. ;)

Btw, Greg Knaddison's book is awesome, a must read for anyone who's
interested in manually reviewing the plugins they use. :)

Cheers,
Hani.

On Mon, Oct 31, 2011 at 5:54 PM, Greg Knaddison
greg.knaddison@acquia.comwrote:

--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec

Looks like everyone has covered the main points - but I'll add from
experience their
security team is both knowledgeable and responsive I can say from
experience. Which
is not something I can say about other PHP frameworks I've dealt with.

Comments in this thread I second:

• core good
• external community modules always suspect
• modules in central repository better

Many modules issues I've seen are trivially fixed too; they just fail
to do something
simple like call a Drupal FormAPI function that's already there.

Arian Evans

On Mon, Oct 31, 2011 at 12:56 PM, Hani Benhabiles kroosec@gmail.com wrote: