What makes Drupal so secure?
In spite of claims to the contrary, strong evidence shows that open source technologies, Drupal in particular, not only meet global security standards, but they are consistently on the cutting edge of security enhancements.
Drupal, its APIs, and its core and contributed modules, powers millions of websites on the internet. As such, Drupal code is continuously scanned, audited, and analyzed for security vulnerabilities and breaches. Through peer review within Drupal’s continuously growing worldwide community of experts, Drupal’s core APIs have been strengthened over the long life of Drupal to mitigate common vulnerabilities.
Drupal, specifically Drupal 8, has been rewritten and designed to prevent critical security holes, including the Top 10 Security Risks as identified by the Open Web Application Security Project (OWASP). Drupal has proven, time and time again, to be a secure solution for enterprise needs and is frequently used in high-profile, critical websites, such as governments and Fortune 500 companies.
According to CVE Details, an online security vulnerability data source, there have been 324 vulnerabilities reported for Drupal since 2002, with only 8 being reported in 2017. Compared to Drupal alternatives like WordPress or SharePoint, Drupal has 70% fewer vulnerabilities reported on average. These metrics don’t lie: they prove that Drupal is more secure than most of its competition. We believe that this is due, in part, to the following people, standards, processes, and measures:
Drupal’s Security Team, Project Maintainers, and Users
Security-focused Contributed Modules
Secure Drupal Hosting
Drupal Security Team, Project Maintainers, and Users
When it comes to security within Drupal, there are three key categories of people that contribute to ensuring that the platform is completely secure at all times. These people all play specific roles in ensuring vulnerabilities are discovered, reported, corrected, tested, and fixes distributed promptly.
Drupal Security Team
The Drupal Security team is made up of a global group of some of the world’s leading web security exports, always on-call, to assess, evaluate, and address issues. This team, which is constantly growing, manages the framework in which to report and prioritize the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules.
Drupal’s active developer community is more than 15,000 strong and includes experts in all areas of today’s web technologies. Different maintainers specialize and are responsible for different aspects of Drupal core and for different modules that extend Drupal. Project Maintainers work hand-in-hand with Drupal’s Security Team to ensure that any known vulnerabilities are patched quickly, tested thoroughly, and distributed following industry best practices.
More than 700,000 people, running more than a million websites, use, test, and improve Drupal on a daily basis. New vulnerabilities are quickly identified and privately reported to the Drupal security team following the framework described above.
Security Focused Contributed Modules
In addition to the proven track record of Drupal core, there are numerous contributed modules that are being developed daily to extend Drupal’s security layer. Some of these focused modules help with password policies, login encryption, session controls, and also help Drupal log and audit vulnerabilities from within. Modules, like Hacked!, continuously monitor Drupal’s code base and can report if anything has been changed against Drupal core’s base.
Best practices of developers and Drupal site owners state that you should always keep your version of Drupal, and its contributed modules, up to date at all times. Patches to Drupal core and contributed modules are done for a reason and falling too far behind will open you up to even more vulnerabilities in the future. Luckily, Drupal also warns of available security updates in real time, from within Drupal itself. Internal reports, such as “Available Updates” notify users every time a patch is available on Drupal.org.
Secure Drupal Hosting
Although we can do everything we can do secure Drupal itself, we need to also always consider our hosting environments and infrastructure. This is where Drupal-specific hosting providers come into play. Providers such as Acquia and Pantheon combine infrastructure best practices with Drupal security best practices to add yet another layer of security to Drupal systems. Since Drupal core’s code base is standardized, these hosting providers can also report when unexpected changes happen within Drupal and do everything they can to prevent them and/or revert them back.
As an open source technology, Drupal development is largely decentralized and its strength comes from the distributed knowledge of a community of thousands of developers committed to the project worldwide. From a security perspective, some critics feel more comfortable with proprietary software produced by dedicated teams at major companies. However, there is scant evidence that proprietary solutions offer better security, or that Drupal is weak on security in comparison. Quite the contrary, in fact: the evidence shows that Drupal has fewer security vulnerabilities reported, more people fixing the vulnerabilities when they are reported, and all known best practices and structures in place that are comparable to or surpass Drupal’s competition.
We hope you found value in this piece. If you’d like to learn more about security, Drupal, open source, and general best practices, we invite you to subscribe to our newsletter, the OPIN Mind.
If you have an upcoming web project and would like more information on how we at OPIN leverage Drupal to build award-winning solutions for enterprises and governments, feel free to reach out.