Drupal has a very good track
record in terms of security, and has an organized process for investigating,
verifying, and publishing possible security problems.
Drupal's security
team is constantly working with the
community to address security issues as they arise. More information about this
process can be found in that section of the handbook.
Anyone
using Drupal should subscribe to the security mailing list (by editing your
account profile)
in order to automatically keep up to date with the latest security
advisories of
all types (see below).
Is open source
software secure?
The
short answer is that open source software is as secure or more secure (in
general) than commercial software. A good summary of the relevant issues can be
found in this article from IBM: The security implications of
open source software.
The increased security of using open source was cited as one reason the White House switched to Drupal.
How Drupal
Addresses Common Security Vulnerabilities
Drupal's
API and default configuration are designed to be secure when used in their
default modes. Issues like Injection, Cross Site Scripting, Session Management,
Cross Site Request Forgeries, and others all have standard solutions in the
Drupal API. For a more detailed review of the topic please read the Drupal Security Report.
Why does Drupal
have more (or fewer) security advisories than another project?
The
absolute number of security advisories (especially when including contributed
projects) is a totally meaningless number and should never be used for
comparison. Drupal has over 7000 contributed projects which are scrutinized by
their users for any potential problem, and a security advisory may
be issued for a relatively minor issue. For more information read Security Risk Levels
A security advisory also
indicates the discovery of a potential problem, and also that the problem is
resolved already. It's extremely rare that such security holes are exploited in
the wild prior to the security fix being announced in the security advisory.
Thus, your most important protection is keeping Drupal up to date whenever a
security advisory is issued for Drupal core or contributed code you are using.
On live sites, what
vulnerabilities have been found or exploited?
Professional security audits of
Drupal sites have generally found that the vast majority of security holes (90%
or more) are present in the custom theme or modules written by that site's
developers. That code did not get the same public scrutiny that all code on
drupal.org receives.
In addition, problems at the
server level (such as using insecure protocols like FTP) are more likely to be
the means of a successful attack than a vulnerability in Drupal - especially
Drupal core.
For
information on how to manage security in Drupal, see the Securing Your Site section of the Drupal
Administration Guide.
Drupal's policy is to announce the nature of each security vulnerability once the fix is released.
ReplyDeleteAdministrators of Drupal sites are automatically notified of these new releases via the Update Status module (Drupal 6) or via the Update Manager (Drupal 7).
Drupal maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed with the most recent security advisories.
In 2008, eleven security vulnerabilities were reported and fixed in the Drupal core. Security holes were also found and fixed in 64 of the 2243 user-contributed modules.