How does Drupal's security compare to Plone's? [closed]

Question

How does Drupal's security compare to Plone's?

Note:

It will be great if the comparison includes V.7 for Drupal and V.4 for Plone.

Thanks

Answer 1

There's a good overview of how Plone handles the top 10 security issues in the web app world here:

http://plone.org/products/plone/security/overview

Organizations like the FBI, CIA and European Network and Information Security Agency (ENISA) all use Plone, if that is an indication.

Plone has the best track record in security of any major CMS, and we take it very seriously. We have an architecture that is built around sandboxing, proper ACLs and a powerful security model.

Drupal has a pretty horrible security record (see the CVE numbers quoted in another comment), as do the other two major PHP-based frameworks (Wordpress and Joomla). Plone is Python-based, but you probably know that already.

Plone makes it easier to write secure add-ons, since we have a proper security model that makes it pretty hard to write code that is inherently insecure. This is different from any other system out there, and is another core differentiator.

(And yes, this answer is biased, I'm one of the founders ;)

Answer 2

The security of the main framework is pretty solid in both cases; the problems are almost always found in the add-on modules, so you need to evaluate each module you plan to use individually.