CMS Security

[Tom Metro]

KyleL wrote:
> My boss has asked me to create a website for a payroll company and I am not
> about to design it from scratch so I thought my best bet would be to do it
> through a CMS such as joomla or drupal.
> 
> My biggest concern is security.  As this is a payroll company there will
> bank information, and a lot of money handling so security and functionality
> are my two most important subjects that I want to focus on.

I'd ask the same questions Dan raised, as that will determine the level 
of security required and what options there are for achieving it.

For example, if there are only a few users who will me modifying 
content, you might be able to use a hybrid solution where the CMS runs 
on a private server, and then gets periodically "published" as static 
pages to a public server. This could be supplemented with some limited 
interactivity on the public server.

This approach gets you the CMS functionality where needed, while keeping 
the public server bare-bones, and complexity is the enemy of security. 
On the other hand, it isn't necessarily a win if it leads to you 
inventing your own authentication scheme on the public server. Stick 
with something tried and true.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/