We often get asked the question whether Drupal is as secure as competing proprietary content management systems.
Drupal actually has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible security problems. It is the chosen CMS purely in terms of security by some of the largest companies, such as CNN (who I worked with), Zynga, Paypal, Twitter, and more.
Drupal has a strict implementation of requirements to get a contributed module posted on Drupal.org. New contributors go through a well-documented process to become trusted contributors. The Drupal security team is also constantly collaborating with core contributors to address reported security issues. Their security team together with the community put all contributors in constant scrutiny to ensure quality of code.
Another common question we hear is: “How does Drupal address common security threats”?
Common issues like SQL injection, XSS, CRSF, session hijacking, and other known threats are all well-addressed in Drupal. Drupal core is engineered carefully with security in mind to avoid these kinds of flaws.
When we talk about government sites, Drupal is always at the center, as 24% of all .gov sites in the United States are powered by Drupal. Drupal powers more than 150 sites for the federal government, including the White House; the House of Representatives; NASA; and the departments of Education, Energy, Commerce, Health, Defense, Justice, Transportation, Homeland Security and Agriculture.
Open source platforms like Drupal aren’t often thought of as secure solutions, but we’ve come a long way in overcoming that myth considering the enterprises and government institutions that trust it every day.