Elliotttt.

Any web application written in any language is never “finished”. Unlike the days of old where static web pages existed on a server remaining unchanged, websites have evolved into living breathing applications, and as such introduce greater levels of functionality, but along with that, greater security risks.

PHP is a popular serverside scripting language, and it’s estimated to be powering over 20 million websites. The PHP language is open source, as well as the database that typically powers PHP applications, MySQL.

While PHP is a powerful language, it in and of itself isn’t inherently secure. This is true of any language, weather it be Ruby, ASP, .NET or Coldfusion. A modern approach to web application development is to build on a mature framework on top of these languages. Ruby has Rails, .NET has .NET Nuke, and PHP has frameworks such as Zend, CakePHP, as well as Drupal which lives somewhere between a framework, and a content management system.

While it is true that anyone can take the code from Drupal and do whatever they like, it’s explicitly stated in it’s documentation that is an unsupported and highly discouraged practice.

Rather, major releases of Drupal are not unlike the operating system you run on your computer. While Windows and Mac OS give you total access to all the files in your system folder, should you modify them, you’re at a greater risk of compromising your machine than if you only added or changed files in designated locations such as your documents folder. In addition, as security flaws are discovered in Windows and Mac OS, updates are made available, and, in general, if you haven’t made any modifications to the under laying operating system that powers your machine, security updates are usually small, quick and painless, and you reduce the risk of attacks.

Drupal follows this same approach. While every site sitting on top of it is different, they all are powered by the same core. As vulnerabilities are discoverd in major releases, patches are made available, and not announced widely until the problem has been solved. Starting with Drupal 6.0, sites are actually aware of when newer versions of Drupal core, and contributed modules and themes are made available, making it easy for a site administrator to stay on top of these updates.

Drupal has an upgrade mechanism, as well as a very popular automatic backup solution.

Since the release of Drupal 5, it has been trusted to power whitehouse.gov, many of the sony bmg artist websites, many of the Time Warner websites, the Economist, several New York Times microsites, Fastcompany.com, Nasa, seeral of the Census Bureau microsites, The New York Observer, and hundreds of thousands of other sites.

Drupal has a security team in place that is constantly evaluating not only the core Drupal package, but the 4000+ modules contributed by the community. To aide in secure development standards, Drupal has implemented what’s referred to as a database abstraction layer, and has various techniques for ensuring any data entered by a user does not contain malicious code. In short, this ensures a user submitting content could never enter any code from their browser that would result in an attack on the database, because before it even reaches there, it is stripped out.

Drupal also supports various Captcha solutions to cut down on automated spam and ham.

To learn more about Drupal’s security team, visit: http://drupal.org/security-team

The current major Drupal release and previous major release are always supported by the team, this is currently Drupal 5.x and 6.x, and sometime in early 2010, Drupal 7.x will be released, and Drupal 6.x will remain supported by security updates until Drupal 8.x is released. This is typically a 2-3 year lifecycle, and upgrade paths are generally provided between major releases.

By the way, Buckhead sucks balls.

(via herheadhurts)