On Fri, Dec 16, 2011 at 11:27 AM, Gregory Boyce <[email protected]>wrote: > > but you need to take into account that vulnerabilities are not evenly > distributed across all plugins. The most commonly used plugins should be > much more stable/secure than the fringe ones that likely account for most > of the published issues. >
True, the top 10 plugins are pretty safe. But you never know what will be exploited, and you might not have control over what plugins the developer uses. I'd say that recoding the entire site from scratch is MORE likely to > introduce security issues than hand selecting a few plugins. At least > using Drupal and the plugins will allow you to have a source to look for > newly discovered issues in addition to any code reviews you may want to > implement on your side. I totally agree, coding a site from scratch is a bad idea. The most vulnerable CMS I've ever seen was written from scratch be a web development company and used by all their clients. But using a framework is not writing a site from scratch. The frameworks usually include things like database abstraction, authentication mechanisms, and form validation. Those are the most exploitable elements. You also have to look at what your threats are. Very few sites are going to be threatened by targeted attacks. Most of the attacks will be automated, e.g., from botnets which are trying to inject links to fake pill sites, redirect your users to fake anti-virus, or host malware on your site. The automated attacks are exploiting known vulnerabilities in CMSs. Custom software is less likely to be exploitable by automated attacks. Even with targeted attacks, I think good custom software will fare well against mediocre popular software (and plugins are often mediocre). For example remember all the LulzSec attacks? I looked into a few of them, all the sites I looked at were running open source PHP CMSs, Drupal was one of them. In general I agree that open and widely used software is more secure. In the case of CMSs, and the predominate threat to them, I think widely used software is a risk. -Anton
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
