As an open source project, Drupal has the benefit of ongoing scrutiny, maintenance, and input from developers around the world, as well as a team of security experts who constantly collaborate to address and release security fixes.
With over 1,000,000 developers worldwide contributing (including a large ecosystem of professional service providers) the result is one of the most secure and stable platforms on the market.
Drupal is resilient to critical Internet vulnerabilities, as demonstrated by the Security Team's 15+ year proven track record of identifying and mitigating potential vulnerabilities. Many security issues are completely prevented by Drupal's strong coding standards and strict community code review process.
As a result, mission-critical sites and applications are choosing Drupal, testing its security against the most stringent standards. Banks, governments, public administration and the healthcare sector are the fastest-growing sectors in adopting Drupal, primarily due to its stringent security practices.
Recently, the European Commission began funding Drupal as an investment in its entities.
Drupal security ensures:
- User access control.
- Database encryption.
- Information exchange through security reports.
- Automatic core update and validation in partnership with GitHub.
- Preventing malicious data entry.
- Mitigation of denial of service (DoS) attacks.
- Patching problems before they are detected.
Some frequently asked questions by users are:
Is open source software safe?
Open source software is equally or more secure (in general) than proprietary software (where source code visibility is strictly protected and highly restricted).
How Drupal addresses common security vulnerabilities.
The Drupal API and default configuration are designed to be safe when used in their default modes. Issues like code injection, cross-site scripting, session management, cross-site request forgery, and others all have standard solutions in the Drupal API.
Why does Drupal have more (or fewer) security advisories than other projects?
Unlike many projects that are owned by companies with commercial reputations, community-driven open source projects like Drupal have no incentive to hide security vulnerabilities, or even potential vulnerabilities.
A security notification also indicates the discovery of a potential problem and also that the problem is now resolved. It is extremely rare for such security holes to be exploited before the fix is announced in a security team notification. Therefore, the most important protection is to keep Drupal updated whenever a security advisory is issued for the Drupal core or contributed code being used.
On active sites, what vulnerabilities have been found?
Professional security audits of Drupal sites have generally found that the vast majority of security holes (90% or more) are present in custom themes or modules written by the site's developers, since that code did not receive the same public scrutiny that all drupal.org code receives.
Additionally, server-level issues (such as the use of insecure protocols like FTP) are more likely to be the means of a successful attack than a vulnerability in Drupal, especially in the Drupal core.
Anyone using Drupal should subscribe to the security mailing list (by editing their account profile) to be automatically kept up to date with the latest security notifications.