Last summer, I did a quick count of the number of known security vulnerabilities in common open-source CMS products, and their underlying software stacks. The results were rather eye-opening.
I thought it might be time for an refresh. Once again, my protocol was simple: I searched the MITRE CVE list of known vulnerabilities and counted the number of results.
Here are the most recent results, with last July’s results in parenthesis for comparison, followed by the percentage growth rate:
- Plone: 3 (3) – 0%
- Drupal: 55 (22) – 150%
- Mambo: 91 (31) – 194%
- Joomla!: 74 (20) – 270%
- Zope: 16 (15) – 6%
- MySQL: 129 (99) – 30%
- Python: 18 (17) – 5%
- Rails: 2 (0) – infinite
- PHP: 2271 (1258) – 80%
- Ruby: 14 (7) – 100%
- Perl: 105 (97) – 8%
Again, Plone, Zope and Python come out with remarkably low total issue counts and extremely low rates of new issues being found. Perl also seems doing pretty well, with relatively few new issues being found. Rails is also looking pretty good.
The rate of growth in new PHP vulnerabilities is still pretty staggering, both in absolute and percentage terms.
I’m also surprised to see the number of vulnerabilities in Drupal, Mambo and Joolma! continue to soar. (Joomla! 270%! Ouch!) It’s worthwhile to note that many of these vulnerabilities (but not all) are in add-on modules rather than the core products, and so may reflect more on individual module developers than the platform as a whole. Still, the fact that these products’ security exposures are growing considerably faster than that of their underlying PHP/MySQL frameworks is intriguing.
Again, in the end, these data don’t really prove anything, but they certainly are an interesting metric to keep an eye on over time.
I don’t think most folks choosing CMS platforms (or programming languages/frameworks), either as customers or as developers, are really considering the security track records of different tools. Should they?