Many companies decide against proprietary licensing models and are increasingly using open-source solutions. They rely on the internationally established quality standards of the open-source world and their proven co-operation, especially since very high security requirements are placed on a web-accessible content management system.
Having a holistic security concept in place is crucial, including not only the application, but the associated infrastructure as well. An open source solution has the advantage that those using it can react very quickly to changes in the market and can respond to security requirements and weaknesses in a targeted way.
The open source project Drupal, for instance, provides security-relevant information and updates every Wednesday, similar to WordPress or Joomla to name a few. Users of proprietary solutions, on the other hand, have often to wait for a monthly ‘patch day’, if they are getting proactively informed at all about existing vulnerabilities. Until then, these systems are exposed to a high security risk, if information about weak points got issued already prematurely via unofficial channels.
Another key issue is the implementation and compliance with the latest safety standards, such as, for example, the information security management certificate ISO 27001, embedded in an information security management system (ISMS). This includes administrative, physical and technical security measures to ensure a minimum of risk, which are all particularly relevant if the operational success depends on the security and availability of the website to be operated and the information processed therein.
In public community discussion portals, current developments are addressed and discussed by experts from all sectors. In the community of open-source content management systems (CMS), anyone can make contributions for improvement, which can then, for example, change the status of a published version in the form of modules, which are subject to the strict audit by the Drupal Security team.
To address newly discovered security risks as quickly as possible, there is a multi-level security release process, which usually looks like the following:
1. Identify the risk and report it to the security team: Any user who detects a security risk should report it to the security team as detailed as possible. Of course, it is very helpful to add a derivation to the reproduction of the problem.
2. Analyze the vulnerability more closely and assess the possible impact: The security team tests the reported vulnerability and classifies the potential security vulnerabilities according to the severity of the impact. This includes, for example, determining which Drupal versions, modules, or themes (design templates) are affected by the vulnerability.
3. Experts, testers and other professional users, supported by the security team, work on a proficient solution to solve the problem: The proposals for solutions are examined and discussed in detail to achieve an optimal result, taking into account all dependencies.
4. Develop, test and publish patches: The new code is then extensively tested, before being transferred to automated tests, to ensure that the desired result is achieved and, above all, no undesirable side effects are associated with it. Through such a cooperation, and the mutual assessment of experts around the world, a very high quality can be achieved. If all these steps are completed successfully, the new code will be published via Drupal.org.
5. Subscribe to safety notices: For companies and other organizations that use Drupal or any other open-source CMS, it is standard to subscribe to the safety instructions published on their website or to stay informed about security-related information via social media accounts
6. Implement security updates on the websites: Drupal independently checks for updates and informs the Drupal administrator. On Drupal.org, e.g. you can find the corresponding download links and installation instructions for all new versions. If you use open-source software, you usually have to take care that updates are implemented quickly.
Hiding behind proprietary licensing models or compiled code and expecting that nobody finds potential vulnerabilities can quickly evolve into a boomerang and be devastating.
With an open program code and a holistic security concept, IT security can be significantly increased. Everyone from the global community can report security risks, which are then resolved in an efficient process as quickly as possible. Transparency, exchange of experience, and a very high level of security are among the foundations of successful open source projects.