Published on CMS GLORilla.com, powered by Joomla and Drupal (http://www.glorilla.com)

Drupal, Joomla, Typo3 security from the outside
By Max Cyr
Created 07/16/2008 - 16:44

http://i030.radikal.ru/0807/a7/6faa70aa737f.jpg

The OSInet team recently attended Solutions Linux [1], a trade fair focused on FLOSS, and while chatting with a sales engineer from a company specialized in Typo3 [2], got asked which CMS we used, and of course answered "Drupal".

At that point, that person flinched somehow, acknowledging that Drupal was indeed one of the "Big 3" in the CMS space, along with Typo3 and Joomla, but was plagued with security issues making it rather unfit for professional deployment, as opposed to Typo3, which took security issues seriously. Continuing the discussion, it appeared that company has indeed at least acquired some Drupal knowhow too, due to customer request, but the person doing the criticizing was not directly familiar with Drupal.

Now, skipping over the fact that criticizing competing products is usually not a sound business practice, and maybe even less so in the FLOSS ecosystem, I wondered why this angle of attack had been chosen against Drupal, and I did some comparisons.

  Drupal Joomla Typo3
Security team page ? Security page [3] no page found with either internal search engine or google Security team section [4]
Feeds/mailing lists security announcements page [5] (has feed) A forum for 1.0 [6] On the general announcement list [7]
Policy policy page [3] no page found with either internal search engine or google. policy page [8]
Secunia tracker Drupal [9] Joomla [10] Typo3 [11]
Security forum no dedicated forum two forums: one for 1.0, the other for 1.5 no dedicated forum
Google stats
security site:<site> 31900 33200 3050
site:<site> 452000 284000 121000
Ratio 7% 12% 3%

So it seems Drupal and Typo3 have chosen rather similar ways of dealing with security issues, while Joomla chose to use forums for the same purpose. FWIW, the same ratio for microsoft.com is 536k/31M = 2%, much closer to Typo3's ratio than to the higher numbers featured by Drupal and Joomla.

The comparatively low appearance of "security" on Typo3's main site, and the very low number of security issues reported by Secunia for Typo3 might be the root of this "unsafe" assumption made by some salespersons about Drupal. However, this might also point to a development process being either less active or conducted in a more "closed" fashion: such blades are always double-edged.

Source: Blog.riff.org [12]
Photo Credit, itsjustanalias [13]

Copyright © 2008 GLORilla.com All Rights Reserved.
GLORilla.com is Free Software released under the GNU/GPL License.

Source URL: http://www.glorilla.com/node/68

Links:
[1] http://www.solutionslinux.fr/
[2] http://typo3.org/
[3] http://drupal.org/node/32750
[4] http://typo3.org/teams/security/
[5] http://drupal.org/security
[6] http://forum.joomla.org/index.php/topic,192791.0.html
[7] http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce
[8] http://typo3.org/teams/security/incident-handling/
[9] http://secunia.com/search/?search=drupal
[10] http://secunia.com/search/?search=joomla
[11] http://secunia.com/search/?search=typo3
[12] http://blog.riff.org/2008_02_04_drupal_security_from_the_outside
[13] http://www.flickr.com/photos/itsjustanalias/2086937560/