• E-mail this page
• |  Print this page
• | 
• | 
• | 

CMS Security, By The Numbers

Six Apart's Anil Dash posted an interesting piece recently comparing the security of Movable Type, their blogging/CMS platform, to that of WordPress,which has suffered a number of security issues over the past few weeks. The results were surprising, to say the least.

Since the beginning of 2005, the Department on Homeland Security's National Vulnerability Database (NVD) has recorded of a total of 10 events of exploits and vulnerabilities against Movable Type, with none occurring so far in 2008. In that same time period, a total of 137 were reported for WordPress, with 44 total to date in 2008.

I did some additional checking in the NVD to see how Drupal and Joomla, two popular open-source content management platforms, fared in the same time period. The news wasn't great - Drupal had a reported 114 vulnerabilities, including some in various 3rd party modules, with 32 this year. Joomla has had 248 vulnerabilities reported, with 93 year-to-date.

This method of measuring security is far from completely scientific, as a single exploit could impact many different components - that's what appears to have happened with the SQL injection attacks against Joomla this year. And to the credit of their respective development communities, most exploits were patched quickly.

It also reminds me of the large number of exploits and subsequent patches for Windows, versus Mac and Linux/UNIX operating systems. Higher profile targets with greater market share will naturally attract attention from both hackers and white hat security experts.

So that bring us back to Movable Type. It's popular and high profile. So why does it have just a fraction of the security incidents of its peers?

In the same post, Dash makes the following points:

"We believe in making Movable Type secure out of our obligation to making the web better: Insecure web software can be a vector for spreading spam, viruses, and malware...When any issues have been found with Movable Type, they've typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild."

While security is just one of the factors in the decision around what platform to go with, this reinforces the need to keep your patches up to date and stay on top of security news, particularly if you're running you own installation of blogging/CMS software.

Update: Right around the same time this was posted, Movable Type released required security updates for versions 4.01b and 4.12. These patches resolve a recently discovered but not yet expolited vulnerability.

« Check Out The BlackBerry Javelin | Main | Mozilla Confirms TippingPoint's Cheap Shot (Whoops. I Meant Vulnerability Announcement) »