Page 22 - AeM_May_2017
P. 22
BEST PRACTICES & STRATEGIES
Security standards for open source CMS
Many companies decide against proprietary licensing mum of risk, which are all particularly relevant if the
models and are increasingly using open-source solu- operational success depends on the security and avail-
tions. They rely on the internationally established quality ability of the website to be operated and the information
standards of the open-source world and their proven co- processed therein.
operation, especially since very high security require-
ments are placed on a web-accessible content manage- In public community discussion portals, current devel-
ment system. opments are addressed and discussed by experts from
all sectors. In the community of open-source content
Having a holistic security concept in place is crucial, in- management systems (CMS), anyone can make contri-
cluding not only the application, but the associated infra- butions for improvement, which can then, for example,
structure as well. An open source solution has the ad- change the status of a published version in the form of
vantage that those using it can react very quickly to modules, which are subject to the strict audit by the
changes in the market and can respond to security re- Drupal Security team.
quirements and weaknesses in a targeted way.
To address newly discovered security risks as quickly
The open source project Drupal, for instance, provides as possible, there is a multi-level security release pro-
security-relevant information and updates every cess, which usually looks like the following:
Wednesday, similar to WordPress or Joomla to name a
few. Users of proprietary solutions, on the other hand, 1. Identify the risk and report it to the security team:
have often to wait for a monthly ‘patch day’, if they are Any user who detects a security risk should report it to
getting proactively informed at all about existing vulnera- the security team as detailed as possible. Of course, it
bilities. Until then, these systems are exposed to a high is very helpful to add a derivation to the reproduction of
security risk, if information about weak points got issued the problem.
already prematurely via unofficial channels.
2. Analyze the vulnerability more closely and as-
Another key issue is the implementation and compliance sess the possible impact: The security team tests the
with the latest safety standards, such as, for example, reported vulnerability and classifies the potential securi-
the information security management certificate ISO ty vulnerabilities according to the severity of the impact.
27001, embedded in an information security manage- This includes, for example, determining which Drupal
ment system (ISMS). This includes administrative, physi- versions, modules, or themes (design templates) are
cal and technical security measures to ensure a mini- affected by the vulnerability.
22 May 2017 - (Cyber) Security & Data Protection