Security Issues in Drupal

When it comes to discussing security issues in Drupal, it’s a good idea to compare the product to a competitor, so that we can understand what the effectiveness of the development team’s responses to the issues is like in a wider context. In this case we're going to look at Joomla, which is another CMS system which is often modified to support e-commerce solutions.

So let's examine some of the numbers Packetstorm showed - that up to 2011, for Drupal there had been 470 issues identified in the time since 2005. By contrast for Joomla, since 2006, 1,400 issues had been raised. That's a substantial difference, particularly when you consider that Joomla concentrates its approach to security on access issues, whereas Drupal casts a much wider web – focusing not just on its core offering but also additional developer modules.

Developers feel that Joomla's limited approach to security is flawed and that the company needs to spend more effort on making its code more secure. Particularly because the level of severity of exploit on Joomla tends to be much higher than the level of a Drupal exploit.

In both cases it's often the API that isn't being used correctly. Both Drupal and Joomla's teams report that a great deal of the issues come from developers failing to follow the API instruction set correctly. One of the big concerns facing Joomla's handing of external modules is that there's no formal testing process by Joomla themselves. Drupal on the other hand apply a rigorous testing process to any module that wants to be featured by them. This involves the code being road tested by several reviewers and includes an examination for the correct security approach.

There may be some downside in this for Drupal users in that there are fewer modules to choose from, however the upside of a much higher level of security can be vital. That's particularly true if you're using Drupal to host an ecommerce platform where a security breach can cost substantial revenues, or even push you out of business completely.

When you're choosing your CMS, security has to be one of the key priorities. It still takes skilled developers with a good understanding of how to manage security to make the most out of Drupal's inbuilt platform security features. However, a Joomla development team needs to be twice as careful as the potential for exploitative behaviour is that much greater. Drupal's core team has a great reputation for managing the overall security of the project and the plug-in content from external developers. That's a great starting place to get the most secure solution.