2008/2/21 Toshio Kuratomi <a.badger(a)gmail.com>:
This is a highly inaccurate measure of security but it's
something to
look at. I wonder if lkundrak and the security team have a preference
for blogging/news software :-)
Number of CVEs listed on
http://nvd.nist.gov/nvd.cfm
wordpress drupal mediawiki zope plone
2008 30 17 1 0 0
2007 64 37 7 2 1
2006 21 39 4 1 3
I looked at WordPress a bit this morning as well. I used the same
source as Toshio did, but I think I used a slightly different search
than him. I used the Advanced search and set the Product to
WordPress. That yielded these numbers:
2008: 13
2007: 42
2006: 16
If you search the vuln database for just wordpress it pulls in a lot
of plugins for WordPress that have issues. Even the search I did
pulled in results for plugins for WordPress and not just core
WordPress components. So I went through 2008 and 2007 to see which
results in my search affected core WordPress bits and which were for
optional plugins. Those results were:
2008: 7
2007: 36
Several of the hits for those two years had been for things like
custom themes someone had provided or guest books or an image gallery.
I also looked briefly at versions affected as well. Just using 2008
as an example, there were still 7 security issues listed for core
WordPress components so far. But if you figure you probably shouldn't
still be running a 2.0.x version or 2.1.x version of WordPress in 2008
then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.
To be fair, I only looked this closely at WordPress. It is quite
likely Drupal's numbers would drop if I looked through those results
and made decisions on which affected core bits and which affected
plugins to Drupal. Like Toshio already said, this isn't the greatest
way to determine the security of an app.
These numbers show a big difference between mediawiki and drupal or
wordpress. The questions are just how valid the numbers are and whether
we're confident that the combination of SELinux (which we will then
depend on; no more turning it off if we can't figure out a problem) and
mod_security will keep our servers and users of the sites safe from the
exploits that will appear.
With any application we provide we need to consider security. I think
SELinux is a valid means to help prevent damage from 0-day flaws as is
mod_security. They are tools in the toolkit we can use to help reduce
our attack surface. If we do move to PHP based apps, we could also
consider looking at suhosin [1] as another tool for the toolbox.
Thanks,
Jeffrey
[1]
http://www.hardened-php.net/suhosin/