Hi guys. Today a had a small conversation with CEO of one BIG company which has many large websites and I brought up Drupal. He told me that they wanted to use a CMS for some of their websites and eventually they've picked WordPress. Nothing wrong with that but he told me that Drupal wasn't selected because it is very unsafe with many bugs(the research was done by some woman in their company, I don't know her background but I'd bet she was just some secretary/assistant). I told him that it is a f***ing bullshit and even told him that Whitehouse is running on Drupal but he didn't care. So I would like to show him some real data that proves that Drupal is
a) safe
b) bugs are fixed in short time
c) wordpress is worse in both
Can any of you point me to some bulletproof data? I need real data/statistics, not just someone's opinion(blog/article) so don't post links to those. Thank you.
Comments
Here is some helpful ammo....
Here is some helpful ammo.... http://drupalsecurityreport.org/about-drupal-security-report
I know about that but there
I know about that but there is actually no data.
www.spherea.eu Shopping cart SaaS provider
=-=
in fact, there is data contained within that security report on page 4 as well as references as to how that data was mined and collated. what metrics are you seeking that aren't provided by the report?
I agree with VM, the report
I agree with VM, the report includes the data we felt was meaningful to review. If you think there are other statistics that could prove a point, please let's talk about them.
"Data" means very little when looking at security. It makes people feel good, but has little relevance. You have to consider that Drupal tracks, remedies and announces vulnerabilities not only in core but also in all of the contributed modules that are hosted on drupal.org (which is most of the 3rd party modules). WordPress doesn't track the vulnerabilities in 3rd party code.
Even if you just compare Drupal core to WordPress core...what would the data show? It shows how many bugs have been found, but not the number that have not been found yet. It also can't really show how impactful a bug is to your site. For example, if you do not have any private content on the site then you don't care about access bypass issues related to content. That's one of the largest forms of issues that Drupal has in terms of numbers.
In addition to the drupalsecurityreport.org resource, I suggest also looking at http://drupal.org/documentation/is-drupal-secure
--
Drupal Security Report | Cracking Drupal: Security Book from Wiley
I just had an idea
Would it be possible to get data from drupal.org about issues(only Drupal project) without the need to program custom crawler?
With such data it would be quite easy to compute number of issues, average time for issues to be fixed and committed and such..
www.spherea.eu Shopping cart SaaS provider
If you are talking about
If you are talking about security issues then that is stored in a private issue tracker so a crawler wouldn't work. I do keep some levels of statistics on this, but the team has not agreed to release that data. Much of it is inaccurate because we've used a mix of mailing list and issues over the years.
I don't believe any other similar open source project has released that kind of data about their security issues. I hope that some day the Drupal project can release at least some of this information.
--
Drupal Security Report | Cracking Drupal: Security Book from Wiley