The OSInet team recently attended Solutions Linux, a trade fair focused on FLOSS, and while chatting with a sales engineer from a company specialized in Typo3, got asked which CMS we used, and of course answered "Drupal".

At that point, that person flinched somehow, acknowledging that Drupal was indeed one of the "Big 3" in the CMS space, along with Typo3 and Joomla, but was plagued with security issues making it rather unfit for professional deployment, as opposed to Typo3, which took security issues seriously. Continuing the discussion, it appeared that company has indeed at least acquired some Drupal knowhow too, due to customer request, but the person doing the criticizing was not directly familiar with Drupal.

Now, skipping over the fact that criticizing competing products is usually not a sound business practice, and maybe even less so in the FLOSS ecosystem, I wondered why this angle of attack had been chosen against Drupal, and I did some comparisons.

So it seems Drupal and Typo3 have chosen rather similar ways of dealing with security issues, while Joomla chose to use forums for the same purpose. FWIW, the same ratio for microsoft.com is 536k/31M = 2%, much closer to Typo3's ratio than to the higher numbers featured by Drupal and Joomla.

The comparatively low appearance of "security" on Typo3's main site, and the very low number of security issues reported by Secunia for Typo3 might be the root of this "unsafe" assumption made by some salespersons about Drupal. However, this might also point to a development process being either less active or conducted in a more "closed" fashion: such blades are always double-edged.