Open source software security

The Case For and Against Drupal

30 November -0001

I've spent a lot of time in my professional career touting Drupal as a solution for enterprises looking to offer web application capabilities without the massive overhead of a development team. Drupal is a great tool to support these sorts of endeavors, but lately I've been asking myself if it makes sense to use Drupal to power smaller projects. Drupal provides a host of features and functionality that make it easy to implement a complex web application and provides robust management and reporting capabilities. However, if you're not using these features then they become bloat.

Complexity is always the enemy of security, and as Drupal becomes more complex it also becomes less secure. A look back over the security releases over the last year alone reveals a pretty dynamic security landscape for Drupal. Many of the core updates required a complete re-install of the Drupal code base. There were dozens of holes found in third party modules as well which required upgrades. This made Drupal a fairly expensive proposition from a logistical standpoint. You had to commit yourself to a regular upgrade cycle in order to run a safe Drupal installation.

In many cases the complexity that introduced security flaws wasn't necessary to run small or simple sites. Why then would a webmaster of such a site choose Drupal? Out of the box, Drupal is easy to set up and configure, so there is a short term gain when considering an off the shelf CMS like Drupal to a custom built one. However, over the long haul a custom CMS is targeted only at the required functionality of a site and so will be more secure. This means fewer security upgrades and a more compact code base. Given this trade off is Drupal worth it? I'm beginning to thing no. Having to constantly monitor and upgrade my Drupal install, and tend to the system to prevent problems, is becoming problematic. It seems that much of the time I saved in the up front deployment is being spent over the life cycle of Drupal sites in upgrades. I think given this perspective new site developers should think carefully about the long term costs of Drupal before committing.