This article is a brief outline on the security of the Open Source Content Managment System (CMS) Drupal and justification as an enterprise solution through demonstrated deployments.
Drupal is a very secure and powerful OpenSource option when implemented by Drupal and Open Source software experts . In summary the tools are only as good as the person who is using them. Many Government departments and prominent websites are moving to the Drupal platform due to its flexibility and security. Departments such as Australian Competition and Consumer Commission (ACCC), Department of Education, Employment and Workplace Relations and Department of Familes, Housing, Community Services and Indigenous Affairs (FaHCSIA) are in the process currently of moving their sites to the Drupal platform.
Infinite Networks the company I am involved with is a specialist in Open Source software including contributing to the Open Source community to develop software applications like Drupal. This includes adding new features, fixing bugs and closing security holes if found. We provide enterprise advice to Government Departments and Organisations on appropriate deployment and hosting of Open Source software and web servers, Drupal included
Below is some supporting information taken from the Drupal website
Is Drupal secure?
Drupal has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible security problems. Drupal’s security team is constantly working with the community to address security issues as they arise. More information about this process can be found in that section of the handbook.
Is open source software secure?
The short answer is that open source software is as secure or more secure (in general) than commercial software. The increased security of using open source was cited as one reason the White House switched to Drupal. A report from IBM to support this can be found at ftp://ftp.software.ibm.com/linux/pdfs/IEEEArticle.pdf
On live sites, what vulnerabilities have been found or exploited?
Professional security audits of Drupal sites have generally found that the vast majority of security holes (90% or more) are present in the custom theme or modules written by that site’s developers. That code did not get the same public scrutiny that all code on drupal.org receives. In addition, problems at the server level (such as using insecure protocols like FTP) are more likely to be the means of a successful attack than a vulnerability in Drupal – especially Drupal core.
Some prominent Australian websites that use Drupal
Prominent International Sites
This information has been directly referenced from the following sources