How does Drupal's security compare to Plone's? [closed] - drupal

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
How does Drupal's security compare to Plone's?
Note:
It will be great if the comparison includes V.7 for Drupal and V.4 for Plone.
Thanks

There's a good overview of how Plone handles the top 10 security issues in the web app world here:
http://plone.org/products/plone/security/overview
Organizations like the FBI, CIA and European Network and Information Security Agency (ENISA) all use Plone, if that is an indication.
Plone has the best track record in security of any major CMS, and we take it very seriously. We have an architecture that is built around sandboxing, proper ACLs and a powerful security model.
Drupal has a pretty horrible security record (see the CVE numbers quoted in another comment), as do the other two major PHP-based frameworks (Wordpress and Joomla). Plone is Python-based, but you probably know that already.
Plone makes it easier to write secure add-ons, since we have a proper security model that makes it pretty hard to write code that is inherently insecure. This is different from any other system out there, and is another core differentiator.
(And yes, this answer is biased, I'm one of the founders ;)

The security of the main framework is pretty solid in both cases; the problems are almost always found in the add-on modules, so you need to evaluate each module you plan to use individually.

When searching the "CVE" official common vulnerabilities database, you get the following figures:
Last 3 years: plone 8, drupal 282.
Last 3 months: plone 0, drupal 9
The basic architecture of plone is apparently much more secure. I don't know drupal, actually, but I do know plone. There are no sql injection bugs as there's an non-sql object database behind it. It is a long-running python program, basically, instead of PHP scripts, which makes it easier to have a good solid security mechanism that's harder to break or mis-handle.
(Note: I just did a simple keyword search at http://web.nvd.nist.gov/view/vuln/search . Not all the results I see for drupal can be attributed to drupal, there seem to be some os-level vulnerabilities that somehow show up in the search results).

It's difficult to compare Plone and Drupal on equal metrics. CVEs is not the end-all comparison, and it's arguable how valuable it even is, as an indication of the relative security of the software. Of those 282 Drupal CVEs, how many were for Drupal core? Not 282.
limi can argue that the architecture is more secure, and point to Plone's response to the OWASP Top Ten. Drupal can do the same. And the "who uses it" argument? Well, whitehouse.gov uses Drupal, as well as a large number of other governmental and "enterprise" organizations.

There are several orders of magnitude more developers using Drupal; the higher numbers of vulnerabilities found can just as easily be attributed to more people bothering to look for them. These stats could easily be security by obscurity.

Related

Blogging Software - Wordpress vs BlogEngine.NET vs Anything else [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Basically I need to choose one so that, I can get familiar with it quickly and then customize it to my needs.
I'm a .NET developer and know classic ASP too. But I think understanding PHP will not be a problem for me and also think that it won't be that difficult.
What will you like to recommend me?
UPDATE:-
Sorry that I'm adding this info late.
Right now I don't know what customization I will be doing. But I'm sure going forward I will have my own requirement and will need to customize. So I don't want to be in situation where I will have to say "This engine which I'm using will not allow me XYZ change or it will be too difficult for me to make XYZ change in this blogging software, so lets migrate to something else."
I will prefer a short learning curve.
Wordpress is nice, but if you're a .NET developer BlogEngine.NET is extremely easy to extend. The drawback is the much smaller community and resources, but if you're wanting to do some real customization and tweaking, BlogEngine will probably fit your tastes much better. There is a decent development community backing and supporting customization and plugins for BlogEngine, but you'll find that a lot of the information is outdated or maintenance has been forgotten.
If you're wanting something with tons of community widgets, plug-ins and tons of themes, Wordpress is your prime choice without a question. But that's if you're going with the canned solutions. There are a lot of them, and you can still customize them and tweak things, but that's dependent on how comfortable you feel about picking up a new paradigm. Wordpress customization isn't so much PHP development, as it is Wordpress development, since you'll be so deep in Wordpress' own world and API.
Both are available in MS's Web Platform Installer, check them out of your box and play around with them some. It's really going to come down to which one you feel just fits. I've used both for different projects, but I've fallen back on doing my own thing with BlogEngine more than Wordpress. But that's for my own personal stuff.
If you know .NET and C#, facing PHP and mySql is going to feel like you went back to 19th century and have to burn coal in your "car" instead of tanking your beamer at a local gas station :-)
One particularly interesting thing about BlogEngine.NET is that out of the box it will run without SQL Server - just with XML files as a storage. If you know your programming I don't have to tell you what kind of flexibility that provides. Not that I'd recommend actually running a web site for a long time without SQL Server but such dual backing opens some very interesting options.
Should I mention that it comes with Visual Studio sln and proj files? :-) That pretty much means zero learning curve.
Go with Wordpress. It's easily customisable, and there's masses and masses of information on customising it.
Digging into Wordpress
Wordpress docs
Thematic - a Wordpress theme designed to be easily customisable/extensible.

Advantages and disadvantages of coding your own blog engine versus using wordpress or similar [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the advantages and disadvantages of coding your own blogging engine from scratch, versus using an already existing engine (for example, but not necessarily, wordpress)?
The biggest reason for going with developed blogging applications today is
probably interoperability. Seasoned blogging applications of today include
plug-ins and fundamental development inertia that ensures that you will interface well
with things like Twitter, Flickr, and social networking sites. Only a
spectacular developer (with a lot of time) would be able to custom code a
solution for all the APIs and other bells and whistles that, in the course of a blog's lifetime, they will want to use or at least experiment with. To build a custom blogging application is to make its default state a basically isolated one. And isolation for many blogs doesn't work.
The biggest plus for using a custom blogging application anyway is that you retain a high degree of control over the application's core behavior, and, since you will likely host it on your own server, direct access to its statistical metrics. If you know well ahead of time that you will not care about interoperability beyond, say RSS, or one or 2 other channels, and have the time to invest in core development, a custom blog is a great way to maintain a look and feel that will positively startle visitors who are used to a constant WordPress or Blogspot layout. One major pitfall, it seems, is that off the shelf blogging applications require you to learn how to manipulate each of their various presentations. It's not hard if you want to simply adopt any thousands of "themes" that typically exist for them, but then, your presentation will not be unique. Sooner or later a visitor to your blog will encounter the same look and feel elsewhere, exactly. The solution there is to hire a custom developer but that of course costs $$$. Even if YOU are that developer who will wind up trading coding-for-core-functionality time, for learning and coding for presentational individuality. Expensive either way.
I am struggling with this question myself. As a proponent of "everything independent" on the web I hate the idea of giving up low level control of my blog. I've been online since the consumer web first took off and understand the ease by which a website can be created using nothing but notepad and an FTP client. To me, anything beyond these basic tools is very "AOLish", and yet, many blogging applications have now evolved into full content management frameworks that would rival the complexity of mastering that which it once took just to figure out basic HTML. I've finally taken to in-depth experimentation with some of the more popular blogging solutions (WordPress, Blogger), and am shocked to find out that after spending so much time maintaining my own solutions, how quickly (and much better) it is to compose and manage entries with them. Since most of my blogs are not profit projects, time to compose has not been a factor for me. However, this may change. If it comes down to where I need to manage and concern myself more with content than mechanics to get my messages out, I will probably swing to seasoned blogging app mode and hope I learn enough about my platform to make it truly a unique experience anyway. That would probably be the best outcome for anyone like us debating this.
Dave
I just set up my own blog and I had to answer this same question myself. Here are the main reasons I went with BlogEngine.Net
Coding the entire thing myself would have taken a long time
I saw that there were a lot of themes available (and that making/modifying themes is easy)
Why reinvent the wheel? (would you write something that the public engines don't already do?)
Advantages of writing your own
It's fun
You might learn new programming tricks or techniques
Using a software you wrote is more satisfying than using someone else's
It will be exactly as you want it
Disadvantages
It takes time
Security risks. A high profile open source engine such as Wordpress is less likely to have security vulnerabilities than your own, especially if you don't have experience in web development. (However there are many high profile programs full of vulnerabilities, such as the widely used Internet Explorer), so take this with a grain of salt.
Features. Wordpress/others will probably have more features (even though some people don't like software with too many features)
You must keep improving your engine over time. If you stop but decide to keep blogging, you will probably want to move to Wordpress, especially if some features you really want aren't implemented yet in yours. This can be problematic, especially if you didn't plan export features.
Actually I went through this path.
For fun and learning reasons I coded my own little content-management system which I used for rudimentary blogging. It had quite static content (no comments were allowed) but it was enough for me. One year later I decided to switch to wordpress and am really happy with it.
Today I would change my approach and would go for wordpress instantly.
Reasons from product perspective:
You won't be able to feature-compete with wordpress (including plugins)
You won't be able to have such a stable and secure app as wordpress
Responsive community (both documentation and patches)
Continous releases
Reasons from learning perspective:
You learn a lot by understanding and reading other's source code.
You can make the product better instead of reinventing the wheel (by providing own plugins or bug-fixes).
It is a far more realistic job-setup: You hardly build apps from scratch but rather extend, integrate and maintain them. Also you work in a team.
Nowadays I would start to build 'from-scatch' software only if:
There is no software which can suit you or you can't extend to your needs.
You need a custom software for business reasons (e.g. you are a startup with fresh ideas)
Building a new software is cheaper as maintaining/extending existing one

How many public high traffic websites are built with ASP.NET? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
This is really a 2 part question. First of all, I just wanted to know how common is asp.net in the real world?
Secondly, I just want to know what are the read world scenario regarding scaling a asp.net site? http://highscalability.com/ almost never talked about the asp.net stack. Does anyone have any reason article that talks about how to scale an asp.net app?
Thanks.
I don't have numbers but based on the number of .net questions on so I'd say it's pretty common For your second question seehttp://highscalability.com/plentyoffish-architecture
MySpace uses ASP.NET (source). A lot of big sites do. I would ignore the Plenty of Fish example though. From my recollection of stories I've read about it, they're just using HttpHandlers for output, skipping the Webforms stuff altogether. You could probably get Webforms to scale though if you absolutely had to. Most popular frameworks can handle high load, it just depends on the code and who's writing it. Anyone can program a site in any framework that won't scale but not vice versa.
As for how to scale, the biggest thing is caching, caching, caching. All big sites cache extensively. Facebook has thousands of servers just for caching. That's just a start though.
Yes asp.net is used in the real world. I have been following how Stackoverflow has been created since I first heard about it over a year ago and have taken away a lot of lessons. Following how stackoverflow will scale in future as their demand grows is pretty interesting and they are making a lot of their information public. Plus the podcasts are hilarious :)
Its hard to say how widespread ASP.NET is in the world but I think it is very widespread compared to PHP, Java and other server technologies. And I'm convinced that ASP.NET is as scalable as anything else you'll try.
If you wan't a starting point to read about ASP.NET performance you could take a look at chapter 6 of the P&P book "Improving .NET Application Performance and Scalability". It's from 2004 so it might be a little outdated.
To give a couple of examples of high traffic sites running ASP.NET you just have to look at http://www.microsoft.com/ or https://stackoverflow.com/. if your site is smaller than these (and it probably is) scalability wont be you biggest concern. You should probably be more concerned about writing maintainable code.
Plenty of Fish with about 1,2 billion pageviews/month
Over 9000.
Realistically I've run into many high traffic websites StackOverflow as an example that use ASP.NET
One thing that is useful for high scalability is the ability to add more servers if needed and still be able to maintain your current session using various ASP.NET session state technologies.

Distributed Cache/Session where should I turn? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am currently looking at a distributed cache solution.
If money was not an issue, which would you recommend?
www.scaleoutsoftware.com
ncache
memcacheddotnet
MS Velocity
Out of your selection I've only ever attempted to use memcached, and even then it wasn't the C#/.NET libraries.
However memcached technology is fairly well proven, just look at the sites that use it:
...The system is used by several very large, well-known sites including YouTube, LiveJournal, Slashdot, Wikipedia, SourceForge, ShowClix, GameFAQs, Facebook, Digg, Twitter, Fotolog, BoardGameGeek, NYTimes.com, deviantART, Jamendo, Kayak, VxV, ThePirateBay and Netlog.
I don't really see a reason to look at the other solution's.
Good Luck,
Brian G.
One thing that people typically forget when evaluating solutions is dedicated support.
If you go with memcached then you'll get none, because you're using completely open source software that is not backed by any vendor. Yes, the core platform is well tested by virtue of age, but the C# client libraries are probably much less so. And yes, you'll probably get some help on forums and the like, but there is no guarantee responses will be fast, and no guarantee you'll get any responses at all.
I don't know what the support for NCache or the ScaleOut cache is like, but it's something that's worth finding out before choosing them. I've dealt with many companies for support over the last few years and the support is often outsourced to people who don't even work at the company (with no chance of getting to the people who do) and this means no chance of getting quality of timely support. On the other hand I've also dealt with companies who'll escalate serious issues to the right people, fix important issues very fast, and ship you a personal patch.
One of those companies is Microsoft, which is one of the reasons that we use their software as our platform. If you have a production issue, then you can rely on their support. So my inclination would be to go with Velocity largely on this basis.
Possible the most important thing though, whichever cache you choose, is to abstract it behind your own interface (e.g. ICache) which will allow you to evaluate a number of them without holding up the rest of the development process. This means that even if your initial decision turns out not to work for you, you can switch it without breaking much of the application.
(Note: I'm assuming here that all caches have sufficient features to support what you need from them, and that all caches have sufficient and broadly similar performance. This may not be a valid assumption, in which case you'll need to provide more detail in your question as to why it isn't).
You could also add Oracle Coherence to your list. It has both .NET and Java APIs.
From microsoft : App fabric
Commerical : NCache
Open source : RIAK
We tried a couple in the end we use the SQL session provider for asp.net/mvc yes there is the overhead of the connection to the DB but our DB server is very fast and the web farm has loads of capacity so not an issue.
Very interested in RIAK has .net client and used by Yahoo - can be scaled to many manu server

ASP.NET version of Joomla [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Does anyone ever found/used an ASP.NET application similar to Joomla?
I need to set up a quick and dirty CMS on a Windows Server and our client doesn't want us to use something else than ASP.NET.
I've been told by a friend that Umbraco is everything you would ever want in a CMS (and it was in the list that Nathan included in his answer). This recommendation is coming from a guy who's built several CMS solutions over the years and after taking a brief look at it, I think I'm going to try to push my clients towards using it over their current solutions.
DotNetNuke is quick to set up and get running. It is the best ASP.NET CMS that I have used.
It comes with many modules, and can be extended with numerous commercial and free 3rd party modules.
It is very easy to change to look of a DNN site by simply changing the assigned skin, and many 3rd party skins are available as well.
Warbeats.com runs on DNN, and handles quite a bit of traffic.
Community Server is a very well built CMS for ASP.NET, a free version is available.
Graffiti is Telligent's CMS (makers of the previously mentioned Community Server) and my be more appropriate depending on your requirements.
There are also many CMS projects on Codeplex.
I tried Graffiti and DotNetNuke and thought both were troublesome, then I tried Umbraco based on a recommendation from a friend and I love it! So much that I recommended it to Kooshmoose... I should also note that dasBlog is not a CMS, it's just blog software (which I use on my personal site and love, but it's not a CMS...)
Did you Look at DotNetNuke (http://www.dotnetnuke.com/) Its seems to be a good Systems to Start off as a base , But I doubt I could call it a Full CMS ? (Upto the users to decide)
MojoPortal might be worth a look into. Other than that, the list linked to by Nathan is well-worth looking into
umbraco gets my vote as a good CMS that comes close to Joomla in maturity and out of the box functionality. I'm not that fond of DNN, but it's been at least a year since I ran it thru its paces.
See also Oxite. It's an ASP.NET MVC Blog engine that you can use it for CMS.
If the concern isn't really about the ASP.Net language but about keeping a Windows server, you can use Joomla on IIS.
You can also check the list of CMSs on Microsoft's Web Platform

Resources