Geek Answers Handbook

How does Drupal security compare to Plone?

How does Drupal security compare to Plone?

Note:

It would be great if the comparison includes V.7 for Drupal and V.4 for Plone.

thanks

+4
source share
5 answers

The safety of the core structure is fairly stable in both cases; Problems are almost always found in add-on modules, so you need to evaluate each module that you plan to use individually.

+2
source

Here is a good overview of how Plone handles the 10 most important security issues in the world of web applications:

http://plone.org/products/plone/security/overview

Organizations such as the FBI, the CIA, and the European Network Security and Information Agency (ENISA) use Plone if this is an indicator.

Plone has the best track record in the security of any major CMS, and we take this very seriously. We have an architecture built around a sandbox, ACL compliant and a powerful security model.

Drupal has a pretty terrible security record (see the CVE numbers cited in another comment), as well as the other two main PHP-based frameworks (Wordpress and Joomla). Plone is based on Python, but you probably already know that.

Plone makes it easy to create secure add-ons because we have a proper security model that makes it quite difficult to write code that is inherently unsafe. This is different from any other system and is another major difference.

(And yes, this answer is biased, I am one of the founders;)

+14
source

When you search the official CVE common vulnerability database, you’ll get the following numbers:

Last 3 years: plone 8, drupal 282.

Last 3 months: plone 0, drupal 9

The underlying plone architecture seems to be much more secure. Actually, I do not know drupal, but I know what that means. There are no errors in sql injections, because behind it is a database of objects other than sql. This is a long-term python program, mainly instead of PHP scripts, which makes it easy to create a reliable reliable security mechanism that is harder to break or not handle correctly.

(Note: I just did a simple keyword search on http://web.nvd.nist.gov/view/vuln/search . Not all the results that I see for drupal can be attributed to drupal, it seems there are some level vulnerabilities os that somehow appear in the search results).

+3
source

It is hard to compare Plone and Drupal on equal metrics. CVE is not a definitive comparison, and it proves how valuable it is as an indicator of the relative security of software. Of the 282 Drupal CVEs, how many were there for the Drupal core? Not 282.

limi may argue that the architecture is more secure and points to Plone's answer to the ten OWASP. Drupal can do the same. And the argument "who uses it"? Well, Whitehouse.gov uses Drupal, as well as a large number of other government and "corporate" organizations.

+1
source

Drupal has several orders of magnitude more developers; the higher the number of vulnerabilities discovered can also be easily attributed to more people who want to find them. These statistics can be easily protected by obscurity.

0
source

More articles:


All Articles