: Is Plone really without security holes as Wiki article suggests? According to this wiki article (chapter): http://en.wikipedia.org/wiki/Plone_(software)#Focus_on_Security From 2010 there has not been

@Shanna517

Vulnerability are discovered either by user or by security researched who are looking to make a name for themselves. The co-relation between number of users/vulnerabilities found is only a part of the whole equation. Most vulnerabilities are discovered by security professionals or hackers. For them WordPress is the most lucrative "prize", which can explains the numbers.

What this also means is:

A. Despite the immediate reaction to these statistics, WP is more secure than it looks, because discovered vulnerabilities are often patched.

B. Malicious hackers will not publicize the exploits they use, at least not they had some "fun". For example, the recent Plesk vulnerability was announced in Jun but here in Incapsula we've been blocking such attack from February. (by generic rules) In this respect, Plone might be much less secure than it looks...

C. If you are using a popular CMS, which gets a lot of attention, you should always keep it up-to-date because there a lot of people who`ll use automation to "fish" for for newly discovered vulnerabilities. Good example here is TimThumb. Thought discovered back in 2011, we still see a LOT of TimThum scanners roaming around the net and one can only assume that they keep doing it because they keep discovering new targets.

Vote Up Vote Down

@Gail5422790

Generally: Not being able to see or find something, does not implicate that it does not exist.

As Michael said in his answer, the popularity of course is a great factor. This not only applies to the CMSs themselves, but also to the stack, they are built on. Joomla!, Drupal and Wordpress are by far the most used CMSs on the market, and built on PHP, the by far most used language for web applications, while Plone is used by less than .1% of the sites (according to w3tech), and built on Python.

The next factor is the version of the CMS, for which vulnerabilities are reported. Very often, the issues regard outdated versions, which no longer are supported.

An other factor is the location of the vulnerabilities. Are they located in the core CMS or in extensions? The more extensions a CMS has, the more issues will be counted for the CMS as a whole.


Drupal has about 7000 extensions for current versions (7 or 8). Together with extensions for outdated versions, there are 23,000 extensions on the listing.[1]
Wordpress states to have about 26,000 extensions[2]. Because of Wordpress' policy, it should be possible to use the extensions with all versions.
Joomla! has about 7000 extensions for the current versions (2.5, 3.1)[3]. Numbers for extensions for outdated versions are not available, but it is save to calculate with 15,000 of them.
Plone lists about 180 extensions for the current version, plus about 2,000 for older versions[4].


Let's say, there is one security issue per 1000 extensions per year. Then, for current versions, you'd expect this vulnerabilty distribution for the last year:

Drupal 7
Wordpress 26
Joomla! 7
Plone 0


which pretty much matches the last column of the screenshot you posted. The number for Drupal is much higher, though. That might be caused by the fact, that you have to redo everything from scratch for a new version, so also old failures are redone.

Sources:
[1] Drupal Modules
[2] Wordpress Plugins
[3] Joomla Extension Directory
[4] Plone Products

Vote Up Vote Down

@Sarah324

The only thing you can be sure is that there is no software of this kind without some vulnerabilities. A CMS, even simple, is too complex to be free of any problems, bugs or weak spots.

What you can actually read from the list you have linked is that no vulnerabilities have been reported. This does not mean there aren't any. It can be assumed that the more popular a CMS is, the greater frequency of attacks it suffers. But attacking means discovering security holes, so popularity of a CMS will be correlated with the number of discovered bugs.

Vote Up Vote Down