Open source software security

Is Drupal Ready for the Enterprise?

30 November -0001

Drupal (http://drupal.org) is a robust, long lived, and quite vibrant open source content management system (CMS) supported by a broad community. Although Drupal has many of the trappings of an enterprise level CMS such as dedicated development and security teams, commercial backing from companies like Acquia and others, it may not be fully ready for the enterprise. I will define enterprise software as large scale software that supports a diversity of users, separation of privilege and roles, and support for business work flow management.

From a support perspective Drupal presents a number of challenges. Although Drupal runs on other enterprise standard software platforms (Apache, PHP, MySQL) you may find that a lot of staff time gets devoted to maintaining your Drupal installation. Over a 14 month period between April 2008 and May 2009 Drupal released 9 security related core updates (for both versions 5 and the newer version 6). These updates required that the Drupal core, the non-modular base system, be updated. These updates would require staff time to replace the core, move modules, themes and sites, and reconfigure installations. Such processes should also involve testing and review of each site supported by Drupal to insure that the upgrade didn't impact functionality and serve. This means that roughly every month and a half staff would have to set aside time to upgrade the Drupal core, migrate data, and test sites. These statistics are for core upgrades only, and don't even include the myriad module updates that require a similar process of patching and testing. In April 2009 alone there were 7 module related security updates.

Although Drupal stands at the forefront of many interactive functions and Web 2.0 initiatives it may, perhaps, be time for Drupal to settle into a model that can support enterprise deployments. Thorough security reviews should be made of Drupal core to ensure they are hassle free and to cut down on the upgrade cycle. Perhaps Drupal could dedicate one version (say the stalwart Drupal 5) as an enterprise class platform and dedicate resources to full security audit.

Modules are problematic as well. Although there are many popular modules that see use across a wide majority of Drupal installations, there are also a host of smaller modules with limited deployments. Code quality, security, and reliability vary wildly across the module codebase. This results in frequent problems and resultant upgrade hassles with many Drupal modules. Perhaps the Drupal team could select a set of modules that are widely utilized, vet these modules to ensure their quality, and certify them or otherwise provide some assurance as to their security and stability.

Some of the security issues with Drupal systems are well know, but do not get addressed. Issues such as not requiring a to re-enter an existing password in order to update a user password allow Cross Site Request Forgery (XSRF) attacks against Drupal. Drupal doesn't provide SSL based authentication out of the box. Drupal has known issues with certain permissions and rather than fixing them they recommend assigning those permissions with care. Such issues raise serious questions about the overall security impact a Drupal installation would have in the enterprise.

Drupal is a wonderful Content Management System, and it definitely has a large, dedicated, and growing community of users and contributors. However, as the system gains notice and businesses look to Drupal to provide CMS solutions, Drupal may have to change to address this new community. While Drupal clearly meets the needs of individuals and small organizations, as the scale of organizations looking to adopt Drupal expands into the enterprise level Drupal may need take steps to address the needs of enterprise customers: scalability, stability, and security.