Is free software like Drupal as secure as non-free software?

Oink - it's a piggy bank

When considering which enterprise content management system to invest in, security is a key factor. As a critical piece of business infrastructure, your web platform will often integrate with commerce, resource planning, and other "back-office" systems. Keeping your data secure is not only a legal requirement, it is common sense for any business.

The relative security of free versus non-free software is a debate that will keep on running. As a free and open-source platform, how can Drupal be as secure as other non-free and proprietary systems?

1. Drupal = "Open Source". "Open Source" = more transparent, and more secure

Drupal is "Free Open Source Software" (FOSS). What does this mean for businesses?

The classic definition of Free Open Source Software looks like this:

  • Free as in beer - you don't pay for the software
  • Free as in liberty - you can copy, change, share and sell it on to others (including related services, but you must make the code available for free)
  • It's "Open" as in transparent, shared, anyone can inspect the "source code" and use it, as above

Enterprise software platforms such as Sharepoint, Adobe Experience Manager, Sitecore and Kentico are "closed source". You aren't allowed to inspect or modify their code, so you can't improve or fix problems in the software yourself.  They are supported by the organisation that created them, and you'll pay an annual licence fee for the privilege of using the software. They rely on a practice called "Security through obscurity": if nobody can see how their software works, the bad guys can't find vulnerabilities.

With free open-source software such as Drupal, however, there is no licence fee to pay. Thousands of members of the open-source community contribute time and code for free to the project. Anyone is allowed to download, use and modify the code as they wish, and they rely on the "many eyes" principle of security: if anyone can see the code and modify it, they can also easily find and fix vulnerabilities.

Individuals and business that use open source software but don't know how to modify it themselves will often make use of agencies like Versantus to configure and adapt this free software to make it more bespoke for their business. They get world-class software that is tuned for their business at a fraction of the commercial cost. 

This low cost doesn't mean the software has lower standards. Thousands of large and small businesses around the world use Drupal and similar software to run their operations, and they rely on Drupal being fast, powerful, easy to use and - above all - extremely secure.

2. Drupal and other FOSS projects have dedicated, expert and open security teams that research, fix, and share their findings with the wider community for everyone's benefit

The "many eyes" principle of open-source software security is a great model that yields significant security improvements. As well as that, and to make sure that its free software is deemed secure enough to be used by the world's largest organisations, the Drupal Association runs a dedicated security team. They are responsible for finding and coordinating fixes for Drupal's "core" code and its "contributed" (or "contrib") plugins.

The Drupal security team tirelessly hunt out vulnerabilities that could affect users, and each week they communicate the fixes to the hundreds of thousands of agencies and businesses that rely on Drupal. Agencies like Versantus will then review the fixes and will upgrade customer sites to keep them secure where necessary (not all vulnerabilities affect all configurations).


What can you do to ensure that your website is secure, whether you use open source software or closed?

1. Keep your website software well maintained
All software needs to be maintained and regularly upgraded. If you're using proprietary software, you should continue to pay your annual licence fees and make sure you apply security patches as they're provided.  For open-source software, ensure you or your agency are applying the free patches on a regular schedule.

2. Choose a secure hosting environment
Not all web hosting is created equally, and a secure website is nothing if the platform it resides on is susceptible to attack. If you're not sure what you're doing, choose a managed web hosting service that deals with backups and security for you, and is backed by a strong Service Level Agreement.

3. Keep your passwords secure, and enable two-factor authentication
Install a password manager like 1Password or LastPass and use unique passwords on every site, including your website. Enable the two-factor authentication option on your website and server.


If you want to know more about how Versantus can keep your Drupal website secure, fast and delivering your business goals, contact our specialists today.