HP Security Report: What is the Most Insecure CMS?
HP TippingPoint examines the vulnerabilities in applications and identifies the most insecure open source content management system.
HP has found that 70 percent of the applications that they are engaged to scan have some form of security vulnerability. Of those, 50 percent have what HP as identified as serious issues that could expose organizations to risk.
In particular, HP has given a particular focus to content management systems (CMS) during 2010 which yielded some interesting results. According to HP, it's not always the core CMS system that is the root cause of vulnerability.
"A lot of the vulnerabilities in the Content Management Systems have shifted away from the core applications themselves and have shifted to the plugins in those applications." Mike Dausin, manager of advanced security intelligence for HP DVLabs told InternetNews.com. "This is actually an even broader security trend which we have also seen on the desktop."
As a case in point, Dausin added that today it's more likely that a researcher will find vulnerabilities with browser plug-ins than with the browser code. A recent survey from security vendor Qualys found that the Java browser plug-in is the most likely to be at risk.
Dausin noted that when it comes to the three most popular open source content management systems, Joomla, Drupal and Wordpress, they each have their own respective reputations to protect and ensure security. On the other hand, Dausin noted that plugin developers don't have as much at risk and may be more relaxed when it comes to enforcing security.
That said, there is a gap between the security of the different open source CMS projects.
"Wordpress these days has very few vulnerable installs that we could find versus Joomla where nearly all of them are vulnerable in one form or another," Dausin said.
Dausin noted that one possible reason why Wordpress is more secure is that it is an easy system to update. That said, Dausin noted that in 2010, Joomla, Drupal and Wordpress have all done better jobs at patching their core systems.
"In the case of Joomla, it's mostly the plugins that are vulnerable, " Dausin said.
Dausin noted that HP did not directly contact Joomla or Open Source Matters, the group that helps to lead Joomla developer, about the study. InternetNews.com did, however, contact Joomla.
"With the release of 1.6 in early 2011, Joomla took unprecedented steps to secure the CMS," Louis Landry, Joomla Development Coordinator, told InternetNews.com. "The most significant changes for this release are the new advanced security and permissions features. These provide system administrators control over who can edit what and access which components, modules and plugins."
Landry also noted that Joomla takes plugin security very serious and has processes in place to help protect users.
"In fact, Joomla has set up the Joomla security center and strike team http://developer.joomla.org/security.html where security vulnerabilities can be reported on and taken action on instantly," Landry said. "The Joomla Security Strike Team pulls information from the thousands of people in the Joomla community working 24-7 around the world. Those members of the community are constantly probing Joomla and its extensions for the latest vulnerabilities and issues fixes to them as soon as possible."