对不同CMS的安全性有何研究? [英] Any studies on the security of different CMSs?
问题描述
我喜欢发布指向Secunia搜索结果的链接,以(以数字形式)展示某种CMS(或博客软件)的安全性。
I like to post links to Secunia search results to demonstrate (in numbers) how insecure a certain CMS (or blogging software) is.
但是对此答案有一个有趣的评论:
But there was an interesting comment to this answer:
Eaton :
还必须注意,
Secunia仅发布明确宣布的漏洞
报告。
我曾与其他CMS软件包
合作,这些软件包在
次要版本中包含了重要的安全修复程序,根本没有公告
。 Drupal有一个15人的小组
,负责审查核心和所有3500个插件
,并正式宣布安全性
补丁,无论多么小,作为一项
的政策问题。
It's also important to note that Secunia only publishes vulnerability reports that are explicitly announced. I've worked with other CMS packages that tuck important security fixes in minor releases with no announcements at all. Drupal has a 15 person secteam that reviews core and all 3500 addons and officially announces the security patches, no matter how minor, as a matter of policy.
在比较内容管理系统时是否有任何研究或文章考虑到这一点?
Are there any studies or articles which take this into account when comparing Content Management Systems?
推荐答案
我收藏了少量的文章(像我的同事一样),但他们几乎都是出于捍卫自己选择的CMS的人,因为他们指责安全性差。 (包括我在您的帖子中所发表的评论!)困难之一是,我认为没有人能弄清什么构成合理的比较-每个人都为比较不好而烦恼,但在任何人都无法确定什么之前就徘徊了一个公平的竞争环境。
I have a small number of articles bookmarked (like this one by my coworker), but they're almost all by people defending their CMS of choice from accusations of poor security. (My own comment in your post included!) One of the difficulties is that I don't think anyone has ironed out what constitutes a 'reasonable comparison' -- everyone gets annoyed at a bad comparison, but wanders off before anyone can determine what a level playing field is.
有两件事最容易引起人们的注意:
A couple things stand out that most "quick overviews" miss:
- 产品开发团队的安全策略
- 由负责安全性的特定人员或团队(取决于项目的规模)的存在。显然,该项目中的每个人都应该关心
- 是否有针对第三方开发人员的已记录安全最佳实践
- 按类型和严重性对漏洞进行比较
- The security policy of the product's dev team
- The presence of a specific person or team (depending on the project's size) responsible for security. Everyone on the project should care, obviously
- Are there documented security best practices for third-party developers
- Comparison of vulnerabilities by type and severity
也许这个线程是一个集思广益的好地方,什么将构成一个好的比较研究?
Perhaps this thread would be a good place to brainstorm what WOULD constitute a good comparison study?
更新-一位同事对Secunia感到反感:第三方针对OSS项目提交的报告不正确和错误。 Secunia显然拒绝更新或修改它们。这是一项有用的服务或公告,但是我听到的所有内容都让我不愿使用它们进行比较。
Update - A colleague has had the opposite frustration with Secunia: inaccurate and erroneous reports filed by third-parties against an OSS project. Secunia refuses to update or amend them, apparently. It's a useful service or announcements, but everything I hear makes me cringe at using them for comparison.
这篇关于对不同CMS的安全性有何研究?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
