"Count what is countable. Measure what is measureable. What is not measureable, make measureable." -- Galileo

Tuesday, April 27, 2010

CMS Security

I'm still trying to catch up on blog posts after March with jury duty and emptying out the parent's home of 40 years.  For World Plone Day 2010 I thought I'd bring up one of my favorite contentious subjects:  security.  Seems like every year some pundit runs through the security arguments for CMS.  Here's my chance to get ahead of the curve.

First, the methodology.  Candidate CMS's are the top ten listed in CMS Matrix when sorted by compares (BTW, Plone comes in sixth).  The source for my security data is the National CVE and CCE Vulnerability Database, searching each candidate CMS for vulnerabilities listed in the past 3 years and past 3 months.  The highest level of vulnerability in the past 3 months were counted and totaled as a "Seriousness" score.  Here they are in alphabetical order. 

CMS 3 yr. vuln. 3 mo. vuln. Seriousness
DotNetNuke 13 0 0
Drupal 266 16 6 medium
Joomla 426 87 36 high
Mambo 85 0 0
PHP Nuke 6 0 0
Plone 8 0 0
TYPO3 224 44 26 high
WebGUI 9 0 0
WordPress 141 6 4 high
Xoops 65 3 1 high

Second, the results.  I'm pleasantly surprised that 5 out of 10 turned up with no vulnerabilities in the past 3 months. However, of those only PHP Nuke has a better 3-year number of vulnerabilities.  TYPO3 and Joomla have a much larger number of vulnerabilities rated "high" by the National Vulnerability Database than all the rest combined. 

Typically one hears defenses like "CMS x has more vulnerabilities reported because it is more popular/has a larger install base and therefore has more eyes looking for problems."  That's the same argument Microsoft put forward for all its security flaws when compared with Linux.  You don't want to go there. 

But even putting aside the logical fallacies in such arguments, both pro and con, it's clear that systems with more security flaws require more effort to patch and lock down.  The bottom line is that more flaws mean more chances for the sys admin to slip up and more opportunities for the bad guys. 

By way of an anecdote, at my day-job our computer security people were much relieved to learn that we were using a non-PHP-based CMS.  On that note, Happy World Plone Day 2010. 

Plone and the Wonder Wheel

If you google for a term, let's say, "CMS," you'll notice a little "Show options" link at the upper left that you probably use for narrowing down date ranges or filtering news items and images.  About 3/4ths of the way down the list of option is one called "Wonder wheel."  It displays a spoked wheel labeled with, for lack of a better term, interesting links.  The usual top 10 search results appear in a column to the right.

From the CMS wheel, clicking on one of the spoke's links, for example, "Content Management Systems," opens a second wheel, to wit:

What I find interesting is the difference between the top 10 search results and the spokes, looking at which CMS's turn up within each "spin" of the wonder wheel.  At the first level ("CMS"), most results are disambiguation links.  The only specific systems listed are CMS Made Simple and concrete5, even though "microsoft cms" is one of the spokes.

At the second level, the spokes show ".net content management system," "php nuke," and "microsoft content management system."  The top 10 results now return a few general links plus Alfresco, Pligg, LightCMS, ModX, Drupal, Joomla!, and Plone.  Oh yes, there are some sponsored links at this point.  From here on out, there are always three commercial systems turning up as sponsored links. 

Beyond this, the combinations and alternative paths become numerous.  Following "enterprise content management system" takes us to a wheel with mostly general spokes, but two specific systems garner a spoke each.  Six of the top 10 results are specific systems, none Plone.

Backing up and following "open source content management system," WordPress, CMS Made Simple, and Drupal each label a spoke.  Six of the top 10 results are specific systems, one of which is Plone. 

Backing up once again and following "web content management system" gets us a wheel with only general categories for spokes but 5 out of the top 10 results are specific systems, none Plone. However, selecting the awkward "web content management system open source" spoke takes you to the first wheel in this chain where Plone has a spoke of its own. 

All this raises some questions:
  • What determines whether an item appears on a particular wonder wheel?  
  • What determines an item's position on the wonder wheel?  
  • Why doesn't Plone have a position somewhere in the daughter wheels of "open source content management?"  
  • What needs to be done to get Plone to turn up in more wheels?  
I guess it's that last question that I want to toss out to the Plone community as we count down the final hours to World Plone Day 2010. I can't say that wonder wheels are becoming the new way to search--for one thing, they're not available on Google's mobile page for my Droid.  But I can't help thinking that under the hood a better wonder wheel position translates to better SEO behavior in general.  Your thoughts, please.

Wednesday, April 21, 2010

Plone at my Day Job

Way back in November of 2007, I published a graph of the growth of our Plone projects at my day job.  Michael Bernstein asked me to update that graph a couple months ago.  Here it is almost May and I'm finally getting around to it.

The blue points show the total number of sites constructed over time based on the date of creation.  The yellow points represent the net number of active sites (totals sites minus ones no longer in use).  You can see that about 60% of our sites are active at any one time but that we've had very steady growth in the past 5-6 years.

Even though things are flattening out a bit, we find our current projects are much larger and have more sophisticated requirements.  Also, we've been migrating old 2.5 sites up to 3.x this past 6 months and that's kept us busy.  On top of that, we're finally getting some internal customers to think more broadly about site reuse.

For example, the site for our UNSCR 1540 training grows with each new workshop in the program.  A couple years ago each workshop would have had a separate, short-lived website.  Now one large portal serves to connect students who participate in different workshops and has a life beyond a single conference.  New students have access to previous workshop material and, like any good Web 2.0 phenomenon, the 1540 portal gains value exponentially as the user base grows. 

Google Analytics (below) shows that the 1540 portal has garnered a widespread audience.  Unfortunately, things haven't picked up in Africa, which is disappointing given that the last workshop was in Nairobi back in February. Even so, we've got a sizable piece of the world covered and that's a good thing. 

Sunday, April 11, 2010

Quarterly Amazon Sales Rank Stats

It's time for me to pull myself away from the Herculean task of emptying out my parents' house and get back to our regularly scheduled program.  It's the beginning of the quarter when I usually take a moment to see how Plone titles are faring over at Amazon.com.  Here's the latest sales rank statistics for Plone texts: 

From the zigs and zags you can see that Amazon sales ranks, as always, aren't very stable.  Julie Meloni's "Plone Content Management Essentials" took a huge leap.  (Remember low sales ranks is a good thing.)  And in fact, just about all Plone texts improved their sales ranks.  Four books have sales ranks below 200,000 and only three had their rank go upwards (Rose, Cooper, Lotze and Theune).  Frankly, I'd have to say this trend, if it continues, could indicate a healthy turn of affairs just in time for Plone 4. 

Thursday, April 1, 2010

Mobile Plone

A colleague sent me an article on mobile computing this afternoon and among other things, it inspired me to take a look at what's shaking with Plone and mobile devices.  Google Analytics for the past five months has been tracking mobile device stats.  You can find it under Visitors | Mobile | Mobile Devices.

Using Plone.org as an exemplar, Analytics tells us that less than 1% of visitors are using a mobile device.  Conveniently, Analytics breaks this down by operating system. Looks like iPhone is the clear winner at the moment, even with the small sample size. 

iPhone 65%
Android 10%
iPod 10%
SymbianOS 8%
BlackBerry 2%
Other 5%

One can also group by browser and here Safari comes in with a resounding 80% followed by a weak 13% for Mozilla Compatible Agents.  NetFront has 1% while Opera, IE, BlackBerry and the rest trickle in at less than 0.8% each. 

The mobile usage statistics are quite different from our average Plone.org visitor.  Pages per mobile visit average 2.5 while the site average is 4.4.  Average mobile time on site is 2 minutes vs 4.5 for the overall average.  Mobile users are not going deeply into the site and leaving quickly.  Looks like some refactoring for mobile would be helpful to this small but growing population of site users. 

There is a barely perceptible upward trend in mobile visitors over the five months for which we have data.  The daily stats are very noisy with lots of variability from day to day.  I'll continue to track this over time and see where it leads. 

Meanwhile, be thinking about your own sites and how users with mobile devices are experiencing them.  Give some thought to Jakob Nielen's remarks on mobile usability.  Mobile devices are set to become the dominant means by which a huge chunk of the world's population are getting to the Web.  Don't leave them out.