I was once using Joomla for my CMS, and really having tough time "getting my site secure" due to several reasons. Well, web security is such big topic from operating system to very tiny detailed. This particular blog is simply based on my experience and only touch topics that are related to the CMS being used (Joomla and Drupal) and practices.
My main objectives here is not to argue which is superior but, simply want to highlight to Drupal developer to take precaution and maybe give you something to think. Yes, I really don't want "Drupal" in a tagged as defacement in http://www.security.org.my !!! Sad to say ..Joomla is the "boldest" tagged.
To those developer who are still practicing Joomla (joomla expert?), please feel free to comment and correct
First of all, let's look look at their security team
Goals of the Drupal security team
- Resolve reported security issues.
- Review code for potential security weaknesses.
- Provide assistance for contributed module maintainers in resolving security issues.
- Provide documentation on how to write secure code.
- http://drupal.org/security
Goals of the Joomla security team
- Investigate and respond to reported core vulnerabilities.
- Execute code reviews prior to release to identify new vulnerabilities.
- Provide public presence regarding security issues.
- Help the community understand Joomla security.
- http://developer.joomla.org/security.html
- While Drupal security team has 37 people, Joomla security team is only 7 people only. So, one could imagine with such resources, what scope of work and fast turnover we could expect.
- Joomla Team only concern about core vulnerabilities. If you are like me, back then I was using so many "FREE" extentions and themes. So, would Joomla team "assist" the extention developer? I really not don't think so. Even worse if the extentions are NOT FREE. Not only other developer like myself never had a chance try it as I would have to pay, I could never be able to see the codes. Furthermore, that extentions are theirs, so they solely responsible for everything I guess.
Unlike Drupal, the security team WILL assist the developer of contributed module. I have read that they are very cooperative. They will even verify if vulnerablitiy has actually being rectified before releasing an announcement. If incase, the vulnerable module is never been patched within specified period of time from the date is was reported, the modules will be taken out of the project list. Cool !
- So, Joomla expert ... you have modified a lot of codes from the extension. Like myself, it was mainly hacking the coding for the appearance. i.e removing certain fields, changing table sizes, color, background, and more theming stuff. I never really recall Joomla has "themeable function" in which you can overide without hacking the extention code? I doubt so ..as the theme is hard coded into the extention. That's why I prefer Drupal.
What's the impact? Whenever, a new vulnerability comes up ...in Joomla i would be pissed as I have to compare, merge and probably neglected certain modification as they were too many!!! In Drupal ...I just replace the whole folder, since I didn't do anything to the codes. Thanks to Drupal hook, anything I change is in the theme and not affected by the upgrade. Hey, this is applicale for version upgrade too !
Joomla sites, may looks pretty especially with templates from rockettheme (what a messy CSS style)...but will be difficult, time consuming to keep up to date.
- I love Drupal modules. In this case, head down to http://drupal.org/taxonomy/term/69 as amazed yourself with all sort of security-related modules, making your Drupal sites more secured. In joomla, back then I was more concern in making my site beautiful.
- When using so many modules, how do you keep track? More modules or extension, more vulnerabilities right? You could signup to their security mailing list. Exabytes also has this mailing list, or RSS. Then you'll end up with many alarming notification for extensions or modules you are not even using. Thankfully, in Drupal there's "Update Status" and notification if the particular module you are using has security upgrade. It can be configured to email you the notification everyday or weekly for security only or any modules that has version upgrade. Red messages will appeared to administrator on every page, until this security vulnerability been rectify. Yeahh ... I can now have a better sleep.
Najibx - xWeb
Drupal Acquia partner in Malaysia
Comments
Back when Im still in
Back when Im still in undergraduate, we breached our local ISP in our kolej kediaman and our library (got suspended 1 semester for this, but then got hired) using ancient packet encapsulation method. They (the ISP) are running the software an***** for wifi authentication with very funny private/LAN IP allocation. We tried to convince them with proofs that their network is breakable, but since we are not software/network engineering student, no one listen. They said that software is most secured and use by many hotels and hotspots provider. As a results, the guys and the gals get their unlimited free inet for as far as i remember...
it doesnt matter what software we use, security issues should be treated as first priority. funny thing about .gov.my sites is, thought they paid ribu-ribu and juta2 for the site, there are no maintenance(or little) security audits or whatsoever. so the IT dept is like makan gaji buta hari2, terhantuk baru tergadah. most of the hacked site is running on IIS with php (funny), asp.net (improper sapi write/read permission). Luckily for the gov site, when bad things happened, they recover and fix the things up. At least someone is aware !
I do agree with your points. Few points to add ;
Thanks,
M.Khalemi (MCP,MCTS,Certified Acquia Partner)
www.hostwaves.com