Page 22 - AeM_May_2017
P. 22

BEST PRACTICES & STRATEGIES






































             Security standards for open source CMS


            Many companies decide against proprietary licensing   mum of risk, which are all particularly relevant if the
            models and are increasingly using open-source solu-  operational success depends on the security and avail-
            tions. They rely on the internationally established quality   ability of the website to be operated and the information
            standards of the open-source world and their proven co-  processed therein.
            operation, especially since very high security require-
            ments are placed on a web-accessible content manage-  In public community discussion portals, current devel-
            ment system.                                         opments are addressed and discussed by experts from
                                                                 all sectors. In the community of open-source content
            Having a holistic security concept in place is crucial, in-  management systems (CMS), anyone can make contri-
            cluding not only the application, but the associated infra-  butions for improvement, which can then, for example,
            structure as well. An open source solution has the ad-  change the status of a published version in the form of
            vantage that those using it can react very quickly to   modules, which are subject to the strict audit by the
            changes in the market and can respond to security re-  Drupal Security team.
            quirements and weaknesses in a targeted way.
                                                                 To address newly discovered security risks as quickly
            The open source project Drupal, for instance, provides   as possible, there is a multi-level security release pro-
            security-relevant information and updates every      cess, which usually looks like the following:
            Wednesday, similar to WordPress or Joomla to name a
            few. Users of proprietary solutions, on the other hand,   1. Identify the risk and report it to the security team:
            have often to wait for a monthly ‘patch day’, if they are   Any user who detects a security risk should report it to
            getting proactively informed at all about existing vulnera-  the security team as detailed as possible. Of course, it
            bilities.  Until then, these systems are exposed to a high   is very helpful to add a derivation to the reproduction of
            security risk, if information about weak points got issued   the problem.
            already prematurely via unofficial channels.
                                                                 2. Analyze the vulnerability more closely and as-
            Another key issue is the implementation and compliance   sess the possible impact: The security team tests the
            with the latest safety standards, such as, for example,   reported vulnerability and classifies the potential securi-
            the information security management certificate ISO   ty vulnerabilities according to the severity of the impact.
            27001, embedded in an information security manage-   This includes, for example, determining which Drupal
            ment system (ISMS). This includes administrative, physi-  versions, modules, or themes (design templates) are
            cal and technical security measures to ensure a mini-  affected by the vulnerability.

      22            May 2017 - (Cyber) Security & Data Protection
   17   18   19   20   21   22   23   24   25   26   27