SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast dmaui's Avatar
    Join Date
    Jun 2004
    Location
    sanford, florida
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security and open source CMS

    I'm working with a large (very large) nonprofit that wants to migrate to a CMS from their very maintenance intensive present site. Last year, they spoke to an expert that suggested they stay away from Joomla and other open source CMS because of security concerns (hacking and the like).

    I have a few questions:
    1. Is that a valid concern? (My gut reaction is yes)
    2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?
    3. If paid solution, what recommendations?

    Thanks for your responses in advance, I look forward to hearing the opinions on this board.
    M A U I M E D I A :: custom web design

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,147
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    IMHO, open-source apps are primarily only a security problem if they aren't updated as soon as a new release (i.e. with a security fix, not so much for feature enhancements only) becomes available. The problem is that once a sercurity hole is published, the script-kiddies try out the exploit on older applicatiions. So it's more a matter of staying one step ahead.

    Private/custom apps can be just as insecure, or more so, but because the security flaws are not public knowledge, they have to be "tested" for someone to find them.

  3. #3
    SitePoint Addict
    Join Date
    Feb 2007
    Posts
    270
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmaui View Post
    1. Is that a valid concern? (My gut reaction is yes)
    You should probably make web decisions with something else and reserve your gut for food-related decisions.

    In my experience, closed-source solutions have more security problems than the best open-source ones. It only seems like they don't because the closed folks don't tell you about all the exploits, while the open source projects do.

    Don't get me wrong; I don't mean to imply that open source cms's are perfect. I don't even think they're very good. But I don't think the closed-source (proprietary) ones are any better, and with open source ones, you can patch around known issues while waiting for an "official" fix, something you can't do with the other solutions.

    But if you can see the source, can't you figure out exploits easier? Yes, and no. Because everyone trying to fix the source can *also* see those exploits. So the easy ones get found quicker and fixed faster in the open source model, because there are orders of magnitude more people fixing them than any single company, even Microsoft, has working on proprietary systems.

    So the easy exploits get fixed in the good OS packages, making the exploits a little more difficult in the long run.

    The security model you're thinking of when thinking closed systems are more secure is known in the trade as "security by obscurity," and any security professional will tell you it's the weakest level of security.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,147
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    While it's true that open-source can be looked at by someone specifically looking for a hole to exploit, I think the majority of attacks come following the publication of a hole. That is, script-kiddies are too lazy and not smart enough to work at it. This is one reason why "proprietary" apps appear more secure. It's a lot of work to keep probing a site looking for a way in.

    Much easier to find an "Exploit X found in app Y ver. Z" (sites publishing these can be found easily by searching), find sites running "app Y ver. Z" and attack it taking advantage of "exploit X".

    Security is complex and has many levels, as Arlen stated
    Quote Originally Posted by Arlen
    "security by obscurity," .... the weakest level of security.
    while a site obviously made by a "newbie" might be more likely to have weaknesses and attract an attack, any app can have security weaknesses. Don't put yourself behind a false shield thinking that just because it's not open-source it must be more locked down.

    If you really want to have your eye's opened, take a look at ha.ckers.org

  5. #5
    SitePoint Enthusiast dmaui's Avatar
    Join Date
    Jun 2004
    Location
    sanford, florida
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Arlen and Mittineague, you both make good points. I guess I was applying the Microsoft/Apple theory that if it's more distributed, it's more open to hacking. However, as Arlen intimated, if the closed source is full of vulnerabilities, it's no better (and possibly worse) than an OS that has a strong community.

    So between closed source, well supported and open source with a strong community, which would be a better choice in your opinion, for a non-profit, say, on the level of http://www.doctorswithoutborders.org/ (not my client, but similar in the type of site they need and size of organization).
    M A U I M E D I A :: custom web design

  6. #6
    SitePoint Wizard bronze trophy bluedreamer's Avatar
    Join Date
    Jul 2005
    Location
    Middle England
    Posts
    3,359
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmaui View Post
    1. Is that a valid concern? (My gut reaction is yes)
    Yes and no. As Mittineague stated it largely depends on keeping the software up to date with the latest fixes etc. At the end of the day how quick developers react to any security issues might be a factor.

    Quote Originally Posted by dmaui View Post
    2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?
    No necessarily, though it's in the interests of a commercial developer to keep their application secure, else a serious issue could impact on their income if left unplugged for any amount of time.

    Quote Originally Posted by dmaui View Post
    3. If paid solution, what recommendations?
    There are plenty of paid solutions so it's difficult to recommend any particular one. However, as an example of a large high traffic site, Obamas election site was built using Moveable Type and Expression Engine. His new site http://change.gov/ is built with just Expression Engine.

  7. #7
    SitePoint Guru
    Join Date
    Oct 2008
    Location
    Melbourne
    Posts
    754
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmaui View Post
    I have a few questions:
    1. Is that a valid concern? (My gut reaction is yes)
    Security is always a valid concern! Some are quite on the ball. Others, not so much. Have a good read of the various vulnerabilities sites and see what's up there. You'll soon get a good feel for what's being quickly addressed.

    2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?
    Not necessarily. If they were to go with something open source like Drupal I'd recommend they hire or contract an experienced developer to keep an eye on things for them.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •