"Count what is countable. Measure what is measureable. What is not measureable, make measureable." -- Galileo

Sunday, April 5, 2009

Plone Security

Last week my Twi-alerts tuned me in to an ongoing Twitter discussion between David Strauss and Alexander Limi. Apparently, it started when the Idealware review came out showing Drupal as having a lower security rating than Plone.

The discussion eventually moved to David's blog where he posted the interestingly titled "Drupal's vulnerability reports are not signs of security weakness." There he cited the Google trends numbers comparing Drupal and Plone. Others have since joined in the fray, including the Idealware authors and quite a few others. VH Wouter cited the graphic comparison of security exploits among PHP and Zope-based CMS.

Let me extend the Google Trends observations by adding Typo3 and Joomla so that we have all the players from the exploits graph.

CMS Color in Graph
Google Average* Exploits
Plone Blue 1.0 10
Typo3 Green 2.6 52
Drupal Red 8.0 164
Joomla Orange 28.4 265
* 12-mo average with Plone normalized to 1.0

Looks like there's a relationship between Google trends and security exploits. If we graph them, a nice logarithmic pattern becomes apparent.

R-squared is 98%! Now one has to be very careful here... correlation doesn't mean causation. This is one of the most common fallacies in all of statisticdom. Here it is in a nutshell from stats.org:
In general, we should all be wary of our own bias; we like explanations.... Without clear reasons to accept causality, we should only accept correlation. Two events occurring in close proximity does not imply that one caused the other, even if it seems to makes perfect sense.
Maybe many eyes means more detected vulnerabilities means safer software. Maybe all the Google searches are because all the Joomla users are desperately looking for fixes to their security holes.

In the end, I think Alex's comment is as good a way of summarizing things as we are likely to get:
Instead of going for the “Drupal is so popular, all bugs are shallow, that's why we have so many security holes” rhetoric, I’d suggest addressing the list of the 10 most common security vulnerabilities in web applications from OWASP. It’s a good checklist that lists the most common attack vectors for web applications these days. If the PHP-based projects (not just Drupal :) can show how they address these, they are on their way to show that they take security seriously.

Plone’s version is here: http://plone.org/products/plone/security/overview

Another way of looking at this is David Guilhufe's analysis (thanks for the link, Laura):
Four Kitchens seems to suggest that part of the reason for more vulnerabilities in Drupal compared to Plone is that it’s more popular. But, if you’ve been an observer to the Linux/Windows FUD wars, you’ll remember that Microsoft has that exact same argument about why there are more security vulnerabilities in Windows as compared to Linux. And the Linux folks say, in response, “It’s not popularity, it’s design.” I’m sure that Four Kitchens, and most open source software developers agree with that perspective. In reviewing Plone, and talking with people who develop for Plone, I was convinced that the reason that Plone had fewer reported vulnerabilities was not just because it was less popular - it’s because it (and Python and Zope) was more secure by design.

I am completely happy with Drupal’s security (otherwise, it wouldn’t have gotten a “Solid.”) I think the Drupal community takes security extremely seriously, and if they didn’t, I wouldn’t have chosen it as a platform for development. I also think that the Joomla and WordPress communities take security seriously. In our estimation, they were all really good. But Plone was just that much better.

The fact that the Idealware review's remarks on CMS security stirred up so much commentary in the Twittersphere and the Blogosphere speaks well for the entire open-source community. Security is serious business and OSS takes it seriously.

1 comment:

Schlepp said...

My apologies to David for the misspelling of his last name. Mia culpa!