CMS Security

[dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org (Dan Ritter)]

On Thu, Dec 31, 2009 at 06:58:44AM -0800, KyleL wrote:
> 
> Hi Everyone I have a question about CMS websites.
> 
> My boss has asked me to create a website for a payroll company and I am not
> about to design it from scratch so I thought my best bet would be to do it
> through a CMS such as joomla or drupal.
> 
> My biggest concern is security.  As this is a payroll company there will
> bank information, and a lot of money handling so security and functionality
> are my two most important subjects that I want to focus on.

Is this an internal-only site, a shiny catalog-of-services site,
or are you actually implementing a front-end to what is,
essentially, a bank? The three sets of features have vastly
differing requirements.

> First off do both offer good security?  Should I scratch the whole idea
> entirely?

If you are handling money and/or confidential financial information,
you should assume that no CMS framework is offering any security at all.

Oh, sure, they all have at least an idea of protecting pages from view or
edit. But their programmers weren't thinking of your threat model. They're
thinking "Wow, if a large site gets violated, they might have to restore
from backup. That could be painful!".

This won't do if you are playing with real money. Worse if you are
playing with access details for direct deposit systems.

> Thanks everyone for your support.  Also when is the next linux installfest I
> want to create one of these mythtv boxes you all talk about but I have no
> idea where to start.

Start with the wiki at http://www.mythtv.org, and consider using
MythBuntu or MythDora on a spare computer.

-dsr-

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.