most secure open CMS?

[xpcontact]

Hi
I would like to get your opinion about what is the most secure open source CMS ?
Because it is very important to choose the right platform before you build your website, otherwise it is just waste of time....
thx

[MrGamm]

Really... You could spend the rest of your life trying to figure this out.

The truth is. No Open Source CMS is 100% secure.

If somebody doesn't hack through a security hole, they can undermine your security by another means. And... Just because you get your hands on a "secure" open source CMS certainly doesn't mean you or your host is going to secure the server properly nor does it mean your going to stay current with upgrades or introduce your own gaping wide security hole with a quick add-on...

In any event... I understand where your coming from... Usually the script kiddies like to deface a website by tagging thier name to the site title when they hack it. You can get a ballpark overview of how some of the other websites out there are doing. Beware that many hackers have the sense to not reveal their activities.

http://www.google.ca/search?&q="hacked+by"+wordpress
http://www.google.ca/search?&q="hacked+by"+joomla
http://www.google.ca/search?&q="hacked+by"+drupal
http://www.google.ca/search?&q="hacked+by"+phpbb
http://www.google.ca/search?&q="hacked+by"+phpnuke <= The legend...

If your running commerce. Make sure you are NOT saving any trace of sensitive customer info on your server. Additionally make sure your passwords are stored in an encrypted manner in the database. If they aren't... you can rest assured that all the other security measures in the world are not going to help you when your customers private information is stolen from your website. ( if anybody finds out )

[netman4ttm]

Joomla or Drupal.

I am sure there are others; but these 2 came to me immediately.
With open source you want a very active developer community as they will find security issues and fix them quickly. I have used both and both have had security issues; however every issue was corrected quickly.
One thing that made the system more secure is to move the database server off the web server and on to an interior (private ip number) server.

[jawn_tech]

On any cms you choose (my vote is for Joomla by the way, though the Wordpress community is gigantic), always wait a while to upgrade after each release, and definitely avoid "beta" updates. I always tell that to folks who aren't interested in being a hero or martyr for the cause of an "update". Some updates are meant to fix previous security issues, while creating new bugs in the process which can be equally as troublesome (where the site owner can inadvertently deface their own site).

[Mark.M]

You posted a great question. I wonder how many ask that before they build a CMS site?

I happen to agree with MrGamm. The term "open source" should be your first red flag.

I have a client that built his entire business around using Joomla. My server administrator
advised him about the security issues, but they were just words to my clients ambitions
of creating a site which collects data from users. Sure enough, his site was hacked and it
took him weeks to try to recover. It also was very expensive.

One of HIS issues, of course AFTER the fact, was that the server was not secure and that
it was not backed up. After many interesting words, the server was backed up and has been extremely
well protected, far more them most other servers.

What actually happened was that the client did not follow-up by having his mySQL database
set to backup his data. He knew nothing about it, nor did his web developer.. and of course,
he would not ask the expertise of my server administrator ( which I'd like to add is one of the
very best I have come across ) because he was warned about the issue, yet chose it anyway.

Some things I would consider if you wish to maintain a good site and most important a good business:

1) Do everything mentioned by MrGamm
2) When you build with "open source" know you are advertising to everyone that you are open for someone
to try to exploit your site and your information.
3) Repeat number 1
4) Almost anyone can provide hosting. See if you can find a provider that actively tries to support open source
security issues. ( my administrator would not be that guy.. it hates the CMS open source stuff )
5) Repeat number 1

If more were inquiring about it like yourself, it would become the first thing to ask about..

Hope your new site does well..

Mark Mazzarella - Developer - VRInstructor.com

[deepsand]

Quote:

Originally Posted by Mark.M

The term "open source" should be your first red flag.

Why?

You apparently make the assumption, without substantiation, that proprietary code is somehow better and/or more secure than is open source code.

Not only is proprietary code not guaranteed to be of a better quality, but, it is not necessarily less accessible than is open source code. More importantly, knowledge of the source code is not necessary in order to be vulnerable.

As one who began programming in 1958-59, in octal machine code on PENNSTAC, I cannot begin to recall the number of times that I've hacked an OS or application with access to no more than the binary machine code.

[quote=Mark.M;409775When you build with "open source" know you are advertising to everyone that you are open for someone to try to exploit your site and your information. [/quote]
This is no more than a conclusion based on facts not in evidence.

[wige]

I love the anti-open source mentality. These are the folks that run web servers on IIS instead of Apache.

Interestingly, the NSA recommends for all secure network servers the use of almost exclusively open source technologies - SE Linux, PostgreSQL, etc. See here: Information Assurance Research

[MrGamm]

Quote:

Originally Posted by deepsand

Why?

You apparently make the assumption, without substantiation, that proprietary code is somehow better and/or more secure than is open source code.

Not only is proprietary code not guaranteed to be of a better quality, but, it is not necessarily less accessible than is open source code. More importantly, knowledge of the source code is not necessary in order to be vulnerable.

As one who began programming in 1958-59, in octal machine code on PENNSTAC, I cannot begin to recall the number of times that I've hacked an OS or application with access to no more than the binary machine code.


This is no more than a conclusion based on facts not in evidence.

Your credentials and experience do not change the fact that a larger audience of relatively inexperienced programmers now have the capabilities to attack those who choose to go it their own with an open source project.

Are you suggesting that the majority of open source projects are of higher quality than closed source programs?

What exactly are you suggesting? That it's better to righteously defend the open source movement with zealotry rather than focus on it's flaws and look towards a better solution?

Quote:

These are the folks that run web servers on IIS instead of Apache.

You are right to think that IIS is more prone to serve malware. In China and South Korea.

The Google Malware statistics are your best bet for understanding the damage a piece of software is inflicting on others. It has nothing to do with the numbers of bugs reported, flaws fixed or security updates sent.

http://googleonlinesecurity.blogspot...d-malware.html

The puzzling thing in those statistics is the relatively high number of malware servers running linux in Germany. Are the germans all around more experienced and better programmers? Are they more prone to be attacked? Are they more prone to attack other with thier servers?



In any event... The open source community should follow the lead of some of the more well known closed source vendors and offer to service the software which they build. Many of them do. All of them need to. Closed source or open source being irrelevant.

If your CMS is not offering you one click easy security patches and taking responsibility for their software. Consider finding a vendor who does. That's the bottom line. A good analogy would be the seal which voids the warranty on your electronics device. If you break the seal. Consider it broken and no longer supported. If your electronic device did not come with a warranty. Understand nobody planned on it working in the first place.

[Mark.M]

Quote:

MrGamm:

In any event... I understand where your coming from... Usually the script kiddies like to deface a website by tagging thier name to the site title when they hack it. You can get a ballpark overview of how some of the other websites out there are doing. Beware that many hackers have the sense to not reveal their activities.

search?&q="hacked+by"+wordpress
search?&q="hacked+by"+joomla
search?&q="hacked+by"+drupal
search?&q="hacked+by"+phpbb
search?&q="hacked+by"+phpnuke <= The legend...

In any event... The open source community should follow the lead of some of the more well known closed source vendors and offer to service the software which they build. Many of them do. All of them need to. Closed source or open source being irrelevant.

Let me make a clarification of what I was posting about Open Source. I was referring to a specific site that I had first hand knowledge about. I guess I should have posted my comment with the quote from MrGamm.

The site used Joomla. It was defaced and it took a considerable amount of resources to get it rebuilt close to a month later. The person was informed prior to consider the software carefully before deploying his business using it.

I used phpBB for a while, it was defaced 3 times. I took it down.

The point was made more clearly by MrGamm.

I think, and it's only my opinion that most sites that are created by some of the "Open Source" options, are done so by the webmaster / programmer as a solution for a site. This being done without any additional follow-up for security patches. The owner of the site would rarely be involved, just as they are rarely involved in a common simple HTML site. So then the question is, does the programmer building with the "Open Source" option, recognize the security issues and actually know what to do about them.

If the structure of the site is given away to all that want it, surely the ones that would want to screw up the site would also have access. It's not about being free or proprietary, or which operating system is best.

Perhaps I'm wrong about this to those that actually use "Open Source" programming, I was posting only about my experiences using it. Anyway, It's an interesting thread..

[wige]

Just out of curiosity, can anyone give an example of a "closed-source" CMS? Not a managed or hosted version, I mean an actual closed-source package?

[kgun]

Quote:

Originally Posted by netman4ttm

Joomla or Drupal.
One thing that made the system more secure is to move the database server off the web server and on to an interior (private ip number) server.

Interesting solution.

That means to an "intranet" by blocking all Ip's except the CMS system's Ip in a server configuration file like .htaccess?

Any code is no more secure than the programmers that wrote it. Encapsulated / private / public class state variables are important in such a solution.

I know that most programmers here are well trained in OOP, so may be this

eZ Publish - Open Source Enterprise Content Management System (CMS) for web content management solutions

is relatively secure.

I don't know if there is an open / free version. You have to figure that out yourself.

[MrGamm]

Quote:

Originally Posted by wige

Just out of curiosity, can anyone give an example of a "closed-source" CMS? Not a managed or hosted version, I mean an actual closed-source package?

That's rather difficult to answer considering alot of vendors have moved their commercial applications into the open source market.

I don't think it's necessarily fair to exclude the online services which are closed source. Anybody hosting a website, or managing their business with an online service is typically doing so with a closed source vendor.

Yahoo Store would be a closed source CMS... even though it is an online service and people can alter the mark-up. I only use it for some invoicing... but I am aware of WHMCS... I have seen others running encoded (zend) php turnkey commerce solutions...

I would think anything which microsoft releases is closed source. I would go so far as to suggest any open source vendor with commercial interests is indeed more of closed source vendor than an open source one. Before you flame me please understand I am speaking from a time when open source was synonymous with free. That's just not the case anymore. Many open source vendors will not allow others access to the CVS which essentially is different from many open source projects which encourage a community of developers to build the application ( that just doesn't work... imo... not if your running business ).

In any event... It's really easy to blur the lines of what is open source and what isn't. For example... some open source vendors are now encoding thier products with commercial applications to once again take an open source product to turn it into a closed source one.

I think perhaps it's just rather silly for anyone to even debate the open source vs closed source argument. I think from a security standpoint it boils down to how the software is distributed. If it is freely distributed it will fall out of date and be substantially more susceptible to security breaches (This includes software piracy, and "resellers" with no long term vested interest towards the end client.). If it is managed and distributed or at the very least partially connected to a software service distribution model then everybody wins.

I really feel that open source fails because too many people are branching from the main distributions. It's all take... it's the minority who give back. "True" open source methodology is not at a level where the community is skilled enough to manage itself. There will always be a human element of nastiness which prevents a Utopian, Idealistic, Community Open Source software norm.

Before you throw out the wikipedia argument to combat the responsibility and skill level argument. Remember... it's costing them 6 million yearly in donations to keep it running. And the "open source" nature of the project has been simplified to wiki markup. It has also lead to a new generation of people who warn you not to trust what you read in the wiki... (not that I ever trusted what was inside the encylopedia britannica

And I would be more inclined to go with a vendor with commercial interests. The majority of products I use on a daily are indeed closed source. Websites included.

[kgun]

Fresh breath to WPW.

[Mark.M]

Since this was the original posted question:

Quote:

Originally Posted by xpcontact

I would like to get your opinion about what is the most secure open source CMS ?
Because it is very important to choose the right platform before you build your website, otherwise it is just waste of time....
thx

MrGamm first made made a very valid posting regarding searching the hack postings for several software options.

How you you actually pick from a listing the best overall secured option from a group with known security issues?

Suggestions were then posted for many of the same options listed, so...

1) I would think that you would want to mask your vulnerabilities as best as you can ?

2) With open or closed, each has an advantage and disadvantage. It doesn't mean that if you pay for a software and it distributed to you, that parts might not have open source programming ( as mentioned by MrGamm ) -- It also does not mean that it would be the best choice overall.

3) That said, here's a hypothetical open to the group:

Option A: Open source whatever software built with PHP with a mySQL back end.

or

Option B: Closed source managed and hosted, with neither of the above?

If both were similar in the operation, but Option B was better in performance, would the cost factor of Option B be your reason for not selecting it? ( obviously if the cost was reasonable )

Would you want to build your business, if you had an educated choice, as...

[MrGamm]

Honestly... If I didn't want to be a target, I wouldn't choose a job as Barak Obahma's security henchman.

If I wanted to run a cms which was less prone to being taken out. I would not choose one with a bad security record, no commercial support, and a user base of a few million users/installations.

If I wanted to wreak havoc on the internet community I would choose a cms with a bad security track record, one which broadcasts specific instructions on how to bring the website down, has no commercial support, and a few million installations, and let loose with an automated script. My chances of hitting something would be a lot better.

Don't forget about the open source cms's who love to tag the version number directly in the template. Those are the best ones to attack when your just learning.

That rules out half of the CMS's out there as a good choice for a secure cms to say the least.

[deepsand]

Quote:

Originally Posted by MrGamm

Your credentials and experience do not change the fact that a larger audience of relatively inexperienced programmers now have the capabilities to attack those who choose to go it their own with an open source project.

This assertion rests on the flawed assumption that most cracking is done by programmers.

Quote:

Originally Posted by MrGamm

Are you suggesting that the majority of open source projects are of higher quality than closed source programs?

Did I even hint at such a suggestion? No, I did not.

However, I will submit that open source has the greater opportunity to be of higher quality owing to 2 factors:

1) It is less likely to fall prey to the "good enough" standard that most work-for-hire is subject to; and,
2) It is more easily & quickly remediated when it is found to have problems.

Quote:

Originally Posted by MrGamm

What exactly are you suggesting? That it's better to righteously defend the open source movement with zealotry rather than focus on it's flaws and look towards a better solution?

What I do not merely suggest, but strongly maintain, is that zealotry serves no cause well, including that of those who would dismiss open source as being of dubious value.

Quote:

Originally Posted by MrGamm

In any event... The open source community should follow the lead of some of the more well known closed source vendors and offer to service the software which they build. Many of them do. All of them need to. Closed source or open source being irrelevant.

And, many of the closed source vendors would be equally well so advised.

It is sufficient to examine the quality of that most well known purveyor of proprietary software, Microsoft, to understand that whether or not the source code is publicly available is hardly a marker re. quality.

[luigip]

Quote:

Originally Posted by netman4ttm

Joomla or Drupal.

Joomla?? This is ridiculous.

Just have a look at Search - Secunia Advisories - Vulnerability Intelligence.

Btw you can compare a lot of cms at CMS-Matrix.

[MrGamm]

Quote:

Originally Posted by deepsand

However, I will submit that open source has the greater opportunity to be of higher quality owing to 2 factors:

1) It is less likely to fall prey to the "good enough" standard that most work-for-hire is subject to; and,
2) It is more easily & quickly remediated when it is found to have problems.

Entirely not true... When a open source project has opened up it's trouble ticket database to the public you will see just as many un-resolved issues floating around...

More eyes on a project does not mean that those eyes are capable of fixing the problem. If the program has achieved a good level of modularity to the point where many people can work in their own little private sections without disrupting the whole project then a level of better short term efficiency (possibly delusional efficiency) might be achieved but it does not translate to better quality. And it certainly does not solve the un-resolved issues floating around. Open source projects are subject to programmers who hold very little long term responsibility to the project. Why? Because they have no vested interest in whether the code actually works well or not. There is nothing in it for them. There is significantly more broken and non operational open source projects on the market than there are commercially closed source ones. Commercial projects need to work in order to make money. Open source ones do not need to work. It is very easy to understand, however it is not the defacto standard rule which can define the difference between open and closed source. It is purely a management/employee/collaboration issue.

Open source projects which do not care about or which does not scrutinize the skill level of the people working on the project, does not by a long shot mean that it will be of higher quality. In fact... anonymous style, non-collaboration on a project essentially leads to total chaos and the total quality of the product suffers as a result.

In either event... neither of claim 1 or 2 is effected by the open source nature of the code base. It is purely a managment issuse, and sometimes entirely dependant on the skill level of the programmer ( how many highly skilled programmers are working for free? NONE ) which cannot be confused with the nature of the code.

I prefer the "Good Enough" standard when building software.... as in... "is this good enough? Would I want this for myself?" as opposed to the "anything will do standard so long as the client doesn't notice now... they can dish out a few hundred hours and a few thousand dollars down the road when I have already been paid and my hands are cleaned of it" approach.

[MrGamm]

Quote:

Originally Posted by xpcontact

Hi
I would like to get your opinion about what is the most secure open source CMS ?
Because it is very important to choose the right platform before you build your website, otherwise it is just waste of time....
thx

I'm sorry... I didn't read this question properly...

The most secure platform is Linux.

Google Online Security Blog: Web Server Software and Malware

Windows is... always was and always will be a less secure platform...

So... going with linux first... and then choosing how to go about securing your CMS might be the best way to look at the problem.

I really felt the need to come back and clear that up since the thread kind of drifted towards an open source /closed source argument for a bit...

[deepsand]

The OP's question was not about OSes, but rather about applications.

Furthermore, statements re. what will always be are speculative at best.

[netman4ttm]

Wow; this discussion went off course quickly.
I am sticking with Joomla or Drupal. The bigger the developer community the safer the product.
No Linux Apache are not the most secure os/web server. Its BSD/Apache. Linux doesn't allow for a minimalist install unless you go with Gentoo and I know you don't.

[MrGamm]

Quote:

Originally Posted by deepsand

The OP's question was not about OSes, but rather about applications.

Furthermore, statements re. what will always be are speculative at best.

The user inquired about the most secure platform as well. You cannot run a CMS without an OS...

You are only as secure as your weakest point of entry. I provided statistics from Google. There was no speculation about the recent and most likely current security level regarding windows and linux.

I would say running Joomla on Windows would be the equivalent to leaving your door wide open during a riot and displaying your valuables on the front porch. Linux might be more equivalent to closing and locking the door during a riot, with your valuables tucked away in the basement (perhaps you might be armed with a bat). jmo...

[kgun]

Discussions like this are sometimes like fighting with a windmill.

Sometimes simple web server configuration can improve the systems security drastically. It is best done at the lowest possible level. Example denying access in .htaccess to some critical files in system like this:

<Files "config.php">
Order Allow,Deny
Deny from All
</Files>

<Files "authenication.php">
Order Allow,Deny
Deny from All
</Files>

[deepsand]

Quote:

Originally Posted by MrGamm

The user inquired about the most secure platform as well. You cannot run a CMS without an OS...

To quote the OP, "what is the most secure open source CMS ?"

CMS is an application.

Applications are platforms.

[MrGamm]

To quote the OP...

Quote:

Because it is very important to choose the right platform before you build your website, otherwise it is just waste of time....

definelatform - Google Search
"In web terms: Platform is the computer's operating system like Windows, Linux, or OS X."

define:application - Google Search

???

Perhaps the OP needs to consider the platform, server software, and even the CMS they choose to run? I would go so far as to suggest they go with a hosting company which specializes in hosting the application they plan to run. Maybe that will help secure the operating system specifically for the CMS and security patches will be released and implemented a little more quickly?

I only really bring this up after seeing the pricing differences between linux and windows hosting and GoDaddy. Correct me if I am wrong but isn't go daddy's last interest in securing your property and software? Aren't they more concerned about screwing the smaller server companies who have a price difference between windows and linux hosting? I could have sworn every server company out there charges more for windows hosting because it costs money. I could be wrong... maybe things have changed...

Wouldn't it be smarter to put your CMS platform on the most secure OS platform with people who are specially aware and supportive of the software and it's vulnerabilities.

[kgun]

Quote:

Originally Posted by netman4ttm

The bigger the developer community the safer the product.

Good point. Your chance of getting fast support may be greater.

Quote:

Originally Posted by MrGamm

Perhaps the OP needs to consider the platform, server software, and even the CMS they choose to run? I would go so far as to suggest they go with a hosting company which specializes in hosting the application they plan to run. Maybe that will help secure the operating system specifically for the CMS and security patches will be released and implemented a little more quickly?

Another good point.

Quote:

Originally Posted by MrGamm

Wouldn't it be smarter to put your CMS platform on the most secure OS platform with people who are specially aware and supportive of the software and it's vulnerabilities.

OS platform or WebServer.

Are you able to attack a file that is denied global (from all) access in Apache's .htaccess?

If you are, please Pm me.

I don't talk about, packet sniffing and DDOS (man in the middle) attacks that attacks the server before it is visited.

[deepsand]

Quote:

Originally Posted by MrGamm

definelatform - Google Search
"In web terms: Platform is the computer's operating system like Windows, Linux, or OS X."

define:application - Google Search

???

define:Computer platform - Google Search


Definitions of Computer platform on the Web:

• In computing, a platform describes some sort of hardware architecture or software framework (including application frameworks), that allows ...
  en.wikipedia.org/wiki/Computer_platform

[deepsand]

Supplicant : "Can you tell me which model Ford truck is best suited to my needs?'

Respondent : "A Chevy."

[MrGamm]

I think this is a good point you have brought up. I was never aware that people would actually call an application a platform. I would have thought that making a spreadsheet in microsoft excel and stating,

"I made this spreadsheet on the microsoft office platform."

Would have been incorrect. I now stand corrected as obviously someone in the wiki feels differently. You are right however... the definitions certainly do change over time.

I still think that an OS is just as important to consider when looking for the "Most Secure CMS platform"

You are like me... I will go so far as to call a CMS a framework too...

[deepsand]

There was a time when platform referred to the hardware alone, when operating systems did not yet exist.

OSes came into being with 3rd generation mainframes. And, the 1st were so limited in scope, compared to those of the present, that today they'd not qualify for being called an operating system, but would be merely sub-systems, or OS modules.

[deepsand]

Quote:

Originally Posted by useless.012

yeah but now they've grown to be much more than that, haven't they??

What's grown to be more than what?

[netman4ttm]

The link below will give you what I believe to be a complete list of all CMS software.
I used Citadel in the early 1990's and didn't even know it was still around.
I can honestly say I an clueless about 95% of the list.

Category:Open source content management systems - Wikipedia, the free encyclopedia