Open source software security

Goodbye Drupal

2 August 2012

I moved my site off of Drupal this week, once and for all. I've been reluctant to leave Drupal, mostly because of the hassle, but at some point over the past month my increasing concern over the security of Drupal and the fact that my server has crashed under load a couple of times, finally convinced me to cold turkey.

Readers may be aware that I'm fairly well known as a Drupal security researcher. This distinction is a dubious honor, in my eyes. I never wanted to be a Drupal security specialist, but some projects I was doing for work forced me to take a lead role in understanding, deploying, managing and securing Drupal sites. I moved my own site into Drupal to help me get a better handle on Drupal as well as get more experience actually using Drupal so I could provide better support.

Recently I began to wonder about several core components of Drupal. For one, the administrative interface is available via the web. With the increasing proliferation of web based attacks this increasingly made me nervous. First I blocked access to the administrative interface, deactivated all the accounts, and took other measures to protect the administrative interface (such as altering Drupal core to disallow PHP input types). The problem was, the code was still sitting in the web root. All it would take would be one mistake and suddenly the Drupal admin interface would be exposed to the web. I took precautions such as installing modules to detect and block brute force attacks, restricting comments, and so on, but I was still worried.

The second issue is one of both security and stability. Several times web crawlers hit my Drupal site and simply chewed up all of the system resouces, resulting in a denial of service. The fact that Drupal invokes so much overhead in page comosition means that far fewer page requests are required to exhaust the web server's memory. After multiple times having to connect to the host and restart the web server I decided that Drupal was just too heavy weight to be running on the limited resources of my server. I've always been a fan of doing more with less (I was once told that the best hackers came from the former Soviet Union, not because of eduction, but because they were very resource limited and had to learn to write code extremely smartly to run on the older, weaker, hardware they had available. Even if it isn't true, I've always respected the notion.). The fact that Drupal has become, in my opinion, bloatware, was a big dis-incentive for use.

Of course, all that code under the hood means that Drupal is extremely insecure. The larger the codebase, the greater the chance of a bug. Increased complexity leads to a decrease in security. The fact that there are so many parts to Drupal means that even if there aren't blatant code level bugs, there can still quite easily be logic flaws. I've spent years finding holes in Drupal, to the tune of hundreds, and my confidence in the software decreased with each find. The fact that Drupal evolves so quickly, has such a massive codebase, and is constantly being updated, makes it a security nightmare. I felt that it was only a matter of time until someone found a vulnerability that affected my site, and so I decided to switch back to a streamlined version of a custom content presentation suite that I wrote long ago. Instantly the code base for presenting my site dropped from tens of thousands of lines of code to less than 300 lines of code. With such a small codebase it's quite easy to ensure that all your database queries use prepared statements and all your output is filtered. The response time is much faster as well, and the server load dropped dramatically.

Apologies to readers who have found broken links and unformatted content. I'm slowly working my way through the backlog of content to fix it up and make it presentable. Please feel free to contact me using the nav links if you find anything amiss. I appreciate everyone who comes to my site looking for information or simply to learn something new. Hopefully the site will be more responsive and stable now, and I will sleep a little easier knowing it is more secure.