Is Plone Really More Secure Than Drupal and Joomla?

  • 11-Feb-2013

Security is a touchy subject in the Web CMS world in general and very touchy in particular among open source WCXM projects, since open source platforms are frequently accused (often unfairly) of being inherently insecure by dint of their more open development models.

So it's been interesting to watch some Plone adherents contrast their platform's security profile to that of some major competitors. Plone (and its underlying Zope platform) is a kind of elder statesman in the open source WCXM world. But in terms of energy and hype, Plone has gotten superseded in recent years by faster-moving and significantly larger, PHP-based projects like Joomla and Drupal.

Some Impressive Charts

Plone adherents like to point to the National Vulnerabilities Database maintained by the US Department of Homeland Security with the National Institute of Standards and Technology (NIST), to demonstrate that their platform is more secure. Some Plone folks make impressive-looking charts showing how comparatively few vulnerabilities show up for Plone.

Plone Security Bar Chart
Source: govfresh.com/2011/03/gov-2-0-guide-to-plone/

Plone Security Pie Chart
Source: plonemetrics.blogspot.com/2012/10/last-year-sept-2011-i-responded-to.html

I've seen such charts end up in Plone sales pitches. To be fair, Plone project godfather Alex Limi has made more nuanced comparisons, but the point remains the same: according to NIST, Plone has a better track record.

Does It Really Matter?

Now, it's possible that Python is more secure than PHP, and the Plone/Zope stack may prove more secure than the Joomla/MySQL and Drupal/MySQL stacks. But if so, I'm not sure it matters much.

In the end security is a process you undertake, much more so than an attribute of the technology itself (Limi actually agrees). By extension this means that with enough expertise and ongoing attention, you can maintain a well locked-down Joomla instance.

Part of the the issue with Joomla and Drupal is that they are perceived as target-rich environments for bad guys, and therefore get targeted more often. So, if you are running Joomla, you'll have to pay more attention on an ongoing basis than if you're running Plone.

Victims of Success?

To some extent, that's the cost of being more in the mainstream.  Let's consider a third chart.

If you were going to target a platform, which would you chose? Perhaps obscurity can indeed sometimes bring more security.

That's why, in our Web Content & Experience Management vendor evaluations, one of the ratings criteria we use is "Threat Prevalence." This reflects how frequently and heavily a platform gets targeted, as well as how successfully. By the way, some commercial platforms don't score well, either.

Finally, it's important to recognize that many security threats stem from internal actors rather than external hackers. That's actually good news; you can usually control your internal environment much more easily than your external website.

Still, the debate rages. What do you think?

Our customers say...

"The Web CMS Research is our reference work for web content management projects. It allows us to rapidly zero in on the right solution for each unique content management application. I can't imagine starting a new a project without it."

Alden Hart, CTO, Ten Mile Square Technologies

Other Web Content & Experience Management posts

Sitecore Plus Stylelabs: Three Takeaways

  • October 9, 2018

RSG has covered both vendors since practically their inception in our WCM and DAM evaluation research streams. Here's three quick takeaways....

Web CMS Tasting Notes

  • September 11, 2018

What if we could do simple "tasting notes" for certain WCM vendors, like wine critics do? What would we say? Quite tongue-in-cheek, here's a sampling...

The Sitecore Paradox

  • September 3, 2018

The vendor's focus on core R&D and channel-based selling proved a winning business strategy, but I think Sitecore has hit a ceiling in recent years....

MD