Security and Open Source Content Management Systems (CMS)
It is every IT manager's nightmare. Your website has been hacked, defaced, private and sensitive information has possibly been compromised, possibly even exposing gateways to internal systems. This can happen to any business and due to the rapid expansion of the open source software industry is particularly effecting small business.
One of the often overlooked when evaluating web software is security. Choosing an open source CMS, for example, particularly the popular ones can leave you wide open to hackers. No matter what size of site your company is or how big or small your site is, this is something you should definitely take into account. Make sure you read between the lines.
Many of our competitors "sell" solutions which include these open source packages. This offers a price advantage, as they don't have to pay for the software they use in their solution. They will often choose the most popular systems, because they offer the most features and extensive communities. In doing so, they forfeit much control over the software that they build their solutions in, lack understanding on how it works and how to protect it from attack and unless they actively update and maintain the software and apply patches (which many don't), they leave their customer's security wide open. When they customise it, how do you know that they aren't exposing new holes in the software to attack ? This concerns you whether you outsource your website hosting or host your own website. Do you really know which system your developer has built your website with and how much do you trust it ?
Having been burnt on my own personal hobby projects by Mambo, Joomla and PHPBB (all open source systems), I can tell you first hand that it is not a pleasant experience when things go pear shaped and you don't know for why. While I had applied every update and patch available and although I did not customise one bit of code I had both of these systems hacked and it caused me a lot of frustration and pain to get the sites up and running again. I have also heard firsthand of many of the disasters that happen when uni students and amateur developers whack websites together with these tools. There is a big difference between this and a professional approach.
There are a few key principles to consider here:
1) If the software isn't secure, then your business is vulnerable
2) The more popular the system is, the bigger the target
3) Unless installations are updated, patched and maintained, they will inevitably be attacked; and sometimes even when precautions are taken
So here are a few tips for selecting a system that is secure and maintainable in the long term.
Don't leave yourself open
You'd be suprised at the damage that unsecured software can do. In terms of the web and content management systems, the best result is that your website is defaced. The worst is that you expose sensitive information to the outside world. There have been plenty of scandals involving credit card numbers and the like, and I'm sure that you don't want to be one of them.
Popular systems are targets
Websites running popular open source content management systems like Joomla, Drupal and Plone are some of the most attacked on the web. Popular open source website modules like discussion forums such as PHPBB are also highly vulnerable. Because these days there are so many installations of these systems, they make a large target. There is a large discrepancy for example between the number of computer viruses and the frequency of attacks on PCs as opposed to Macs. This is because with a larger install base, PCs are the systems that hackers target with their malicious code. With a smaller install base, Mac users boast that their systems virtually don't need any virus protection.
Compunding this is the issue that although web users can't tell the difference, sites running open source content management systems (CMS) are relatively easy to identify by hackers. The self-promotion methods of the software mean that a simple Google search can sometimes generate a large list of them and viewing the HTML and patterns of URLs can reveal much more than you'd expect.
In their defence, many of these developer will claim that the software is more secure because it has the eyes of a large community of developers looking over the code to identify issues before they arise. Sure, this is true, but the Chaser APEC television pranks in 2007 exposed the fact that record levels of eyes does not necessarily correspond to record levels of security. The fact that these open source systems are so regularly compromised and security patches is released is testament to this. A coder has a very different view of the world from a hacker - one is constructive and the other is destructive. As well as this, with so many contributors, it is hard for them all too keep tabs on what everybody is adding when they are creating the software.
Patches and Updates only last so long
Security vulnerabilities in computers don't stop at viruses. Microsoft releases security patches for its operating systems at a high frequency for this very reason. Some systems will have easy to install updates and patches. But not everybody has the time and energy to be alert and apply the latest patches and even the slightest delay can leave you open to attack. Even if you host a site with an external provider, security can be a major issue.
Customising Software can create security holes
One of the key selling points of open source is that you can customise and own it. But if the developers who are working with it didn't build it and don't know its ins and outs, then they are unlikely to be able to ensure that it continues to be secure when they make changes. In every open source agreement, you'll not only find a huge number of disclaimers against changes made by third parties, but against the software itself being secure.
Stick with the Safe Option
Our own software has gone through several security audits by third party. Each and every released version goes through a security audit first. With a relatively low install base, Freestyler doesn't have a huge target over its head, but there are enough installations to ensure that it is a proven platform. With Datalink's assistance, Freestyler can still be customised, but remain secure. We also apply retrospective security patches even on our older stable versions of our system. Being commercial open source means that third party developers can still work with the source code and call upon our advice and expertise to ensure that your sites remain secure for a long time to come.
Comments
There are no comments.
Categories
- Datalink News (24)
- Datalink Project News (36)
- People @ Datalink (6)
- Emerging Technologies and Trends (21)
- Best Practice and Strategy (14)
- Web Design & Development (17)
- Internet Marketing (31)
- Website Watch (11)
- Book Reviews (6)
- Datalink Ramblings (17)
- Industry News (5)
- Freestyler CMS News (13)
- Freestyler Designer Network (4)
- All Categories
