about
blog
tutorials
TYPO3 as good as its competitors in web application security
Posted on March 01, 2010 by .
IBM has recently released its X-Force 2009 Trend and Risk Report. This report summarizes reported web application vulnerabilities in 2009. TYPO3's overall "performance" is as good as its Open Source competitors like Drupal, and Joomla!. The number of vulnerabities in the CMS cores are more or less equally; when taking third-party addons/extensions/modules into account choosing TYPO3 seems to be slightly better than Drupal or Joomla!. However, this might also be caused by different total numbers of available third party plugins.
|
Product |
Base Platform |
Plug-ins |
Total |
|---|---|---|---|
|
Drupal |
0.2% |
2.5% |
2.7% |
|
Joomla! |
0.2% |
2.5% |
2.6% |
|
TYPO3 |
0.3% |
1.2% |
1.5% |
The report additionally considers vulnerabilities w/ and w/o patches. In regards to this, TYPO3 numbers seem to be odd. I'm not aware what IBM considers as unpatched. For TYPO3 core there weren't and aren't vulnerabilities disclosed for the base platform without providing patches. Either IBM is taking versions into account that aren't officially supported any longer or wrongly considers a non-issue issue I covered in a previous blog post.
|
Platform |
Base Platform |
Plug-ins |
|---|---|---|
|
Drupal |
18% |
13% |
|
Joomla! |
8% |
80% |
|
TYPO3 |
5% |
51% |
We see a relatively high percentage of unpatched vulnerabilities in plug-ins (Joomla! and TYPO3 specifically). At least for TYPO3, this can be explained. TYPO3 is on the market for years now. Plug-ins are an essential part of a TYPO3 installation to bring missing functionalities. Therefore we have really old and no longer maintained plug-ins in the TYPO3 extension repository. Besides, security awareness wasn't that good in the good old days.
There's a high change that extensions with unpatched vulnerabilities are no longer in use or even aren't working anymore. Also, if the maintainer decides to stop support for an extension, TYPO3 security team won't provide patches. Providing patches in such cases would mean that the TYPO3 Security Team is responsable for these extensions forever and ever. Nonetheless, we encourage the TYPO3 community to contact the TYPO3 Security Team to take over maintainership of unpatched vulnerable extensions. Then a fixed version of the extension might again appear in the TYPO3 extension repository.
Still, I'm curious why Drupal has a significantly lower number of unpatched vulnerabilities in their plugins. Enlighten me!
Providing third-party plugins is always a tradeoff between security and user-friendlyness. You want to keep burdens low to provide additional functionalities and so help spreading the product. Then, overall quality of third-party plug-ins is definitely not as good as the base platform. So choose your plug-ins wisely and make a basic check by having a first or second glance on the code.
What I believe is more important, all mentioned CMS vendors above have professionally working teams that take care of security in the base product and third-party plug-ins. Every software product contains bugs. If you need to choose one CMS over other ones, check out the vendor's security awareness. If there's one CMS product without any disclosed vulnerabilities, it's either brand-new, not widely spread or doesn't care of security issues. If in doubt, better avoid such product.
In regards to security, Drupal, Joomla! and TYPO3 seem to be equal. In the end, functionality matters. You won't make a security mistake by choosing one over the others.
I'd like to take this posting as a change to say thanks to the TYPO3 Association. The Association cares about the security in their baby at least as much as the TYPO3 Security team does. They are giving us - the TYPO3 Security Team - a decent budget to cope with security issues. Thanks again. By being a TYPO3 Association Member you help to have a secure CMS. If you ever asked yourself, where your fees are spent on - not only on development but also partly on the TYPO3 Security Team. And it's definitely worth it.
One additional figure from the TYPO3 Security Team:
In 2009 we have handled 317 reports in total; starting with suggestions on how to improve security, over support requests on hacked servers and of course vulnerability reports in third-party plug-ins and TYPO3 core. That's an impressive number considering the small number of security team members.
Disclaimer:
X-Force statistical data are used as are. I personally do not warrent their correctness. IBM and X-Force are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.
- 0 Comment(s)
Your comment