tag:blogger.com,1999:blog-427954471473436275.post81288981491861977..comments2023-05-06T03:20:37.975-07:00Comments on Plone Metrics: CMS SecuritySchlepphttp://www.blogger.com/profile/03783546987543453896noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-427954471473436275.post-13036896939490831952010-04-30T07:59:36.263-07:002010-04-30T07:59:36.263-07:00I agree, commenting is a pain. I had to switch to...I agree, commenting is a pain. I had to switch to moderated commenting after I started getting routine "Nice post" comments with hidden links to spam. Now after almost 3 yrs and 200 postings, I'm too invested (and lazy) to move. <br /><br />Re: Quality of 3rd-party modules. It's definitely a case of some being better than others. Occasionally I hear talk about a product QA effort or at least a "thumbs up/thumbs down" system. Don't know what the status of any of that might be right now. <br /><br />That's one of the fundamental questions for the Web these days: how can you distinguish between and trust different information sources?Schlepphttps://www.blogger.com/profile/03783546987543453896noreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-12918894637763840172010-04-30T03:20:30.591-07:002010-04-30T03:20:30.591-07:00@Schlepp: My apologies, that wasn't clear from...@Schlepp: My apologies, that wasn't clear from the blog post. Maybe you should clarify that?<br /><br />In that case: impressive! :)<br /><br />Just one more note: while you need to be approved to be allowed to contribute modules to Drupal.org, not every contributor is very proficient at writing code, let alone security. I'm trying to say: there are lots and lots of crappy modules maintained by crappy developers on drupal.org. Does the same apply to Plone? Just asking out of curiosity.<br /><br />And FWIW, IMO all CMSes and web frameworks suck. I haven't seen a single one that is 100% awesome. Drupal sucks. Joomla sucks more. Wordpress sucks. Django sucks. And so on. The only API I've seen so far that is 100% awesome, is Qt. And that's for desktop app development only.<br /><br />P.S.: get rid of blogger.com. It stinks. Commenting is a pain and is ridiculous: I don't *want* a blogger profile, I want to link to my own website: http://wimleers.com/.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-45589818140482789322010-04-29T21:06:57.600-07:002010-04-29T21:06:57.600-07:00Plone runs on top of an extraordinary application ...Plone runs on top of an extraordinary application platform: Zope 2.x. Zope provides a security safety net for Plone add-ons as well as Plone.<br /><br />Plone doesn't deserve credit for Zope's great security as an app server. And, Drupal (per se) doesn't deserve the blame for PHP's poor record.<br /><br />But, it is reasonable when evaluating a CMS to consider the degree to which you will need add-ons, and whether or not those add-ons will be operating on an app-server platform with very little in the way of a safety net.<br /><br />It's also worth noting that Plone is a <strong>very</strong> feature complete CMS out-of-the-box. Drupal has, by comparison, followed a micro-core strategy. In some ways it's more of a CMS-base platform than a complete CMS. My point is that evaluations need to be done on the basis of the code quality of what you'll actually use: including add-ons required to meet your need.<br /><br />By the way, I think that the Drupal core folks deserve huge props for communicating good coding standards to add-on developers in their most current release. In some ways, the story here isn't how good Zope/Plone is on security. It's always been excellent. What's news is how much better the Drupal ecosystem is doing than it used to, and how much better they've gotten than the rest of the PHP world. If you absolutely must use PHP for a web CMS, and if (despite that requirement) security remains a concern, Drupal is a much better bet than other PHP solutions.Steve McMahonhttps://www.blogger.com/profile/17953503100299220752noreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-82421501829176972132010-04-29T18:27:22.379-07:002010-04-29T18:27:22.379-07:00Ironically, the *vast* majority of those security ...Ironically, the *vast* majority of those security reports for Drupal were on contributed modules that did not use the core Drupal API.Icehttps://www.blogger.com/profile/03232585151096666730noreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-35865692236785040512010-04-29T17:35:34.124-07:002010-04-29T17:35:34.124-07:00Thanks for your comment, Wim. Like I said, this i...Thanks for your comment, Wim. Like I said, this is without a doubt the most contentious subject I touch on in this blog. <br /><br />The methodology I documented gives the results stated in the table as of 27 April 2010. Enter "Drupal" in the NVD search box and that's what you get. The facts are straight, in so far as the NVD reports them. <br /><br />The NVD is including contributed modules for all the other systems as well. Since Plone sports 3639 products, it should be facing the same magnitude of handicap in the NVD. The other CMS's are in the same boat. <br /><br />Other authors who have discussed this subject in the past have pointed out that core products are rarely used alone, but what constitutes a fair selection of add-ons for any particular system? I have relied on a specified, explicit, and repeatable methodology to arrive at comparable numbers. <br /><br />I may in some future post extract the numbers for just the core CMS's, but given the length of some listings, this will have to wait until I have more time. <br /><br />One final note, you correctly point out that a Drupal bug fix is in place. For many, many of the NVD vulnerabilities, the CMS developers involved have responded aggressively to deal with them. I do not want to impute that any CMS community mentioned here is taking security lightly or being cavalier about this matter.Schlepphttps://www.blogger.com/profile/03783546987543453896noreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-38437986289749252010-04-29T16:28:28.696-07:002010-04-29T16:28:28.696-07:00For Drupal's vulnerabilities: you must have lo...For Drupal's vulnerabilities: you must have looked at *all* vulnerabilities, that is: Drupal core + its >5000 contributed modules.<br /><br />Because Drupal core has only had one security advisory (with a corresponding release that fixes the bug) in 2010 so far …<br /><br />Get your facts straight first ;)<br /><br />Source: http://drupal.org/securityAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-427954471473436275.post-31220700293586352672010-04-29T08:00:28.508-07:002010-04-29T08:00:28.508-07:00Excellent post! I always make a point to bring up...Excellent post! I always make a point to bring up Plone's security record (not typically bringing up the poor records of the other tools, though.)<br /><br />I think that the inherent NoSQL model that Plone uses out-of-the-box plays a big part in its superior security - not SQL-injection techniques allowed, and that's one of the most common vulnerabilities of all web apps and especially PHP ones it seems.<br /><br />It also helps that Plone and Zope do security checks on ever item on the page (links to other pages that you shouldn't be able to access are hidden, such that, for example, your search results differ from another user with different permissions/roles.)<br /><br />This security argument for Plone and the comparison to how other tools are doing does need to be kept up each year, though, so a sincere thanks for going through the effort to update the current state of affairs.Ken Wasetis <at> ContextualCorp <dot> comhttps://www.blogger.com/profile/11095790798245981391noreply@blogger.com