Whitehouse Drupal and The Open Source Security Model

Sunday, October 25, 2009

Have you heard the news? The Whitehouse has decided to go open source. They have decided to switch from their own proprietary in-house CMS system to Drupal. You heard me right, Drupal. The same Drupal with 12 pages of vulnerabilities at OSVDB since it’s inception. I’m sure this made the Open Source community jump for joy, but I see this as a big mistake if you take it on face value and I’ll get back to that in a minute.

According to Dries Buytaert, “…this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software…” This is a complete fallacy. More than that, it’s a dangerous that non-security people are touting their knowledge of security as if it’s fact. Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works. There is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov. Further, if I’m a foreign government I can hire a small army of pen-testers for pennies on the dollar who can try every single attack known to man against every known Drupal configuration without setting off a single IDS alert at the Whitehouse SOC.

Now, like I said, I see this as a huge mistake, but only if you take it on face value - that means that if the Whitehouse is installing the same Drupal install that you yourself could download and run on your own machine with no tweaks or changes whatsoever, then yes, that’s just foolish. But there’s almost no way that’s true. Like ha.ckers.org they most likely chopped it up, removed all the unnecessary functionality, stripped it down to bare bones, locked the server up so tight it would be impossible to even upgrade it without an act of Congress and on and on… And if you think they’re going to blindly upgrade with every new update that Drupal.org puts out - well I have an EV cert I’d like to sell you. And how is a locked down highly customized variant of Drupal different than a proprietary solution? So don’t jump for joy too quickly, this is either a marketing ploy or it’s going to end badly for National Security. Either way.

Original Source:
Possibly Related Articles:
Vulnerabilities Webappsec->General
Federal Information Security Software
Open Source Drupal
Post Rating I Like this!