I’ve vaguely been aware for quite some time that Plone and Zope have an outstanding security record. But I didn’t quite realize how good it is until tonight.
Measuring or quantifying security risks in software is pretty tough stuff. But one interesting measure I found was the number of vulnerabilities reported by the MITRE’s Common Vulnerabilities and Exposures database, which is the main source for tracking and naming such things.
Here are some counts of the numbers of known vulnerabilities and exposures in some common CMS platforms and their technology stacks:
- CVE Entries containing Plone: 3
- CVE Entries containing Zope: 15 (only 3 since 2004)
- CVE Entries containing Python: 17
- CVE Entries containing Drupal: 22
- CVE Entries containing Mambo: 31
- CVE Entries containing Joomla: 20
- CVE Entries containing Alfresco: 0
- CVE Entries containing MySQL: 99
- CVE Entries containing PHP: 1258
- CVE Entries containing Ruby: 7
- CVE Entries containing Perl: 97
This data proves nothing, and suggests lots of things. To me, it suggests that PHP is a horribly insecure programming language compared with Python, Perl and Ruby, and that CMS frameworks that use PHP have some huge security obstacles to overcome.
Alexander Limi, co-founder of Plone, told me that to the best of his knowledge, there has NEVER been a security breach of a production Zope server. That’s astounding. But it’s hard to document the absence of such attacks.
The Zope team is so confident in its security, though, that it’s pursuing Common Criteria certification for Zope 3. (Common Criteria is an international common set of standards for evaluating IT security.) That’s pretty ambitious, but it looks like they are well on the way.
My bottom line: Plone and Zope take security seriously, and it shows.
I would be very interested in other ways to measure or document Plone and Zope’s security. Any thoughts?
Plone and Zope Security
My resonse to Jon Stahl’s post of the same title. I count Nessus Plugins and come up with about the same stats. Short version, Zope and Plone are doing well regarding security.
Fascinating…. thanks for sharing, Skeeter.
Though Zope/Plone are doing well with security, apparently my older Quills blog is not doing so well with posting trackbacks…. ;o)
Since I logged in with https, the trackback used an https link…
Here’s a link that should work….
http://castlemurphy.com/blog/archive/2006/07/25/plone-and-zope-security
Fixed, thanks, Skeeter.
[...] Last summer, I did a quick count of the number of known security vulnerabilities in common open-source CMS products, and their underlying software stacks. The results were rather eye-opening. [...]
I know of one security breach of a zope server. And actually, it was just a case of leaving the door wide open.
It was in production(though probably shouldn’t have been).
What had happened was they used an installer where the username:password combo was admin:admin and the attacker either guessed or used a dictionary and then defaced the site.