Nov 29, 2013

Is Drupal secure?

Drupal is employed by thousands of high profile web sites and is put thorough security testing both by the security experts and Drupal community around the world. Drupal’s core code has been confirmed to avoid frequent security susceptibilities such as those described by the Open Web Application Security Project (OWASP).

Security track record

"Composed of a set of respected community volunteers, and one of the first dedicated Security Teams in an open source CMS project, the Drupal Security Team works to resolve reported security issues for code hosted on drupal.org, to review code for vulnerabilities, and to provide security expertise and assistance to contributors.

The Drupal community has an excellent track record of finding and fixing vulnerabilities in community-created code.

The number of security advisories shows consistent and reliable activity within the code contributors and the security team who guides the process of fixing and releasing security patches. Some interpret these numbers and say "a large number of vulnerabilities must mean insecure code." That analysis ignores the reality that all code has bugs (including security bugs) and the most important thing is an active group of coders and researchers finding and fixing bugs."
I would say that Drupal is as secure as most other CMS options, and more so than some. There are always going to be vulnerabilities and potential exploits, of course, just as with any software. Probably the two main security concerns that come to mind are XXS and SQL injection. Not using untrusted data in database queries without escape it can minimize the risk of SQL injection. XXS is a more common concern, but it too can be minimized. Simply limiting HTML permissions goes a long way towards addressing cross site scripting.
Answer this