Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Phillip Mc on
The full report is linked.
IBM Internet Security Systems X-Force®
2008 Mid-Year Trend Statistics (PDF)
IBM Internet Security Systems has published their Mid-Year Trend Statistics report which among other things, highlights trends in malware and phishing, and ranks vendors, open source projects, and even languages by security breach disclosures.
The fact that Drupal, along with Joomla and wordpress have made it onto their list is testament to how far open source projects like those three have gone in the last few years. Like most sensible people, I'm on the Drupal security announcement mailing list, so, if any vulnerabilities are identified we all know about them very quick.
The report is interesting, but, what's a little annoying is that I notice the vast majority (if not all) the vulnerabilities that have cropped up over the years on drupal.org have been related to contributed modules....i.e. I cannot remember any significant vulnerabilities reported about Drupal core. I'm sure that's the same for Joomla and Wordpress...in other words, it's inevitable that will happen with so many people contributing plugins/add on modules and extensions....It's just a pity that the report doesn't point that out. Maybe it does, in the small print somewhere and it does report that 74% of risks are related to third party software (page 42 of the report)...but still.
I would guestimate that if they analysed Drupal security risks it would be in the 97% region for contributed modules as the source (Not core modules).
Note: for those who don't want to go through the full report, you can jump to page 10 where it's explained why Joomla!, Drupal and Wordpress are new additions to the list. (New Vendors in the Top Vendor List)
IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics (PDF)
Comments
misreading the chart
I think you're misreading the chart on page 42. The 74% figure relates to Type II Virtualization Vulnerabilities. The chart specifically notes it "Does Not Include Vulnerabilities in Third-Party Software."
But yes, as we know, the majority of exploits come through 3pd extensions.
you're right.
you're right, I did misread that chart. Thanks for pointing it out.
I scanned the document a few times looking for more info on web vulnerabilities and just spotted that chart in passing.
I didn't follow the link on page 10 that explains the new standards to classify vendor vulnerability. For me, it's not a big issue, I know the basics when it comes to protecting a Drupal site from XSS, SQL injections etc., but, when explaining the pros and cons to a prospective client, security is bound to be raised in discussion and what I was trying to extrapolate from the document was the ability to describe in lay man terms whether the risk comes more from PHP than Contributed modules. All 3 open source projects in the list are PHP based and rely on contributions.
Any thoughts on that?
Also, I can't help but wonder whether the report is over egging the vulnerability side of things. I mean Joomla! is ahead of microsoft in the list of vendors with the most vulnerabilities disclosed....that's a truly astonishing statistic.
On the flip side, like I said earlier, it just goes to show how far open source projects like Drupal, Wordpress & Joomla! have come.
Yes, the bulk of known
Yes, the bulk of known exploits for Joomla and Drupal pertain to 3rd party software extensions, not the core product, and I assume it is the same with Wordpress--except for word of recent exploits likes these: http://www.techcrunch.com/2008/06/11/my-blog-was-hacked-is-yours-next-hu...
This is something you can demonstrate by reference to the actual reports of the exploits. I follow Drupal and Joomla updates and security bulletins--also via Secunia. It's overwhelmingly 3PD stuff--especially abandonware and obsolete versions--that shows up in the exploit list.
I'm not sure what meaningful information comes from comparing the number of disclosed vulnerabilities in Joomla (two CMS version lines and several thousand extensions) with the number of disclosed vulnerabilities in (all?) Microsoft products.
It's not surprising if there is a lot more scrutiny and disclosure for a popular open source application--there are a lot of targets (many installations, and many of them by clueless or sloppy amateurs on cheap hosts), PHP/mySQL is wide open and relatively easy to learn, and there is almost no consequence for cracking a site built with Joomla, Drupal, or Wordpress. Using a FOSS CMS announces you probably don't have the time, money or clout to nail crackers.
All your clients really need to understand is that they need to monitor security and new release bulletins for whatever CMS they use and all the add-ons they install. Then make timely upgrades and look out for abandonware. If they're not up to doing this, they better pay someone else to do it or make sure they have good backups to fall back on.
More discussion on this topic at C-Net: http://news.cnet.com/8301-13505_3-10004048-16.html
interesting article
thanks for the link...it looks like the author made the same mistake I made earlier (see above) or to quote what he said Indeed, plug-ins represent 78 percent of public security exploits affecting browsers..
I think, in principle, most clients understand that vulnerabilities are a known risk you take with all software, i.e. there's no such thing as secure software and with open source that risk is balanced against the time-saving value of avoiding writing everything from scratch. So, that's pretty much a given. I suppose what I'm getting at is apart from the obvious, such as monitoring logs, joining the security announcement mailing list, watching out for abandonware etc. what else is there?
Would it be an idea to have a PHP & Drupal equivalent of The 19 Deadly Sins of Software Security? or maybe a more expansive security & recovery section of the handbook?
Other resources on Drupal security:
Anyone with any more useful links..please post em.
True view for living on Drupal System
The Open Security Model, Drupal and ExpressionEngine on Security
It is a very nice article about the security concerns by Nate Haug
Actually today with release of 5.10 I commited to may self to devout some of my energy to security topics although I am not a programmer as a gratitude to the people making life simple for Drupal Users and above mentioned article is the first I encountered. I fully agree with the pholosophy.
sides
there's a few sides to the article Nate has written.
Overall, I think it's very balanced, but, he's coming from a Drupal fan perspective, so it's a bit like a Man United fan analysing the weaknesses in the Liverpool football team. If the shoe was on the other foot, I'm sure a Liverpool fan would be just as diligent in their search for problems or weaknesses.
I'm not saying that it's a bad article - it is very interesting and generally well balanced - but, my knee jerk reaction was to seek out the articles/posts about Drupal written by the expression engine users Nate mentioned. There are a lot of them and while only a few mention security issues, many raise some good critical points about drupal and others would be considered standard fan rants against a rival.
I think there's a certain fan loyalty with open source tools that sometimes clouds opinions, which is why it's probably better to have independent reviews on security etc..
As an example, some might insist it's a good thing that vulnerabilities are announced as soon as they are discovered.
Others, like the researchers who put together the IBM security trends report, point out that a large percentage of 'attacks' (I think it's as high as 94%) occur the day after vulnerabilities are announced.
In essence, what that means is that the gap between a vulnerability being announced and the site maintainer upgrading his site(s) is the most, ahem, vulnerable time for any site...not just a Drupal, joomla, wordpress site, but for any piece of software. So, there is a plausible argument to say that it's best to update security/vulnerability fixes subtely...a bit like the way microsoft/apple have those "upgrade" pop ups that nudge you to download updates now and again, usually without telling you what the updates are fixing or what they are for. Apple even has a kill switch on the new iphones in case a 3rd party add-on app from itunes turns out to have vulnerabilities.
I prefer the open approach of security announcements...it means having to stay on your toes, but, there's a transparency as well as an educational side to it, that I like. i.e. you know roughly what's going on, which makes it easier when explaining to client(s) why they need to update the site(s).
actually..
minor addendum: the author of that linked article didn't make the same mistake I made....to quote the IBM securityt report:Plug-ins were especially targeted, representing 78 percent of the public exploits
affecting Web browsers. which is what the author said.