This week two things hit my inbox that grabbed my attention immediately. The first was the very informative ‘Hacked Website Report 2017’ from Sucuri and the second was a humorous post on LinkedIn about the learning curve associated with Drupal, which included the phrase ‘poor old Drupal’. In isolation these were easy to deal with, but what leapt out at me was the clear link between the two, and that is what prompted this short article.
Hacked Website Report
The report is based on analysis of over 34,000 infected websites during 2017. It is part of the sequence of reports Sucuri have been running. It clearly shows that, of the top CMS systems in the world in 2017, Drupal installations are far less likely to be hacked than the major alternatives.
Whilst the software architecture and coding of the products play a part, the report rightly highlights that the major issues are in the installation, configuration and maintenance of these complex systems.
As a Drupal advocate, I could take this as the vindication of my advocacy and share it amongst my colleagues and customers. What the report doesn’t look into, however, is why, on average, Drupal appears to be better installed, configured and maintained than its competition. I pondered this until the second item arrived.
The Drupal Learning Curve
This is the diagram showing the humorous ‘learning curve’ for popular CMS tools - poor old Drupal.
Having worked with Drupal for some time it made me smile because, like all good jokes, there’s an element of truth in it. The ridiculous learning curve for Drupal depicted in the diagram shows all sorts of hazards with weary climbers falling to certain death, giving up or even ending it all. Funny, yes, but as someone with a technical grasp of web technology going back over 25 years it is certainly not the experience I had. Was that because I took the skills and experience I had into the process? I think it was.
With both items in mind I started thinking about the interactions I have had with others in the Drupal community. It was clear to me that the overwhelming majority were very strong technologists with a great deal of experience and focus in their fields.
I compared that to the interactions I’d had with people using some of the other tools and discovered that none of them were technologists! Some were marketeers, some graphic designers, some at agencies and some business owners. Yet these were the people who were installing, configuring and administering these complex software systems. The individuals were all resourceful enough to complete the basic task, but none had the skills and experience to do it safely. Whilst I’m sure that there were plenty of people who do have the skills with those systems available, the individuals I encountered chose not to access them because they’d bought into the idea that this was ‘easy’.
My point here is that it doesn’t matter how ‘easy’ something is to do when security is at stake. I know what a knife is, I can use one, I can throw one, but don’t let me tie you to a rotating wheel and throw them at you, even if I have shown you a fancy slide deck that says I’m great at it!
Things that are a little harder act as natural filters so that those doing them tend to have more skill and experience. So Drupal is a great choice for web security not just because of the system, but also because of the skills and experience of the people around it.