BSI publishes “Security Study on Content Management Systems“
The Federal Office for Information Security (BSI) has published a study into Content Management System security.
Content Management Systems are used for almost all government and SME Internet and intranet presences. Again and again, these systems provide opportunities for hackers and malicious programs. Small vulnerabilities or misconfigurations open unauthorized access to online applications, IT infrastructure and sensitive data.
The "Security Study on Content Management Systems" details relevant threats and vulnerabilities of the popular Open Source systems Drupal, Joomla!, Plone, TYPO3 and WordPress. The results will support IT managers in ensuring reliable safety assessments of CMS as part of their planning and procurement. The study addresses recommendations for ensuring the security of the software under consideration based on four typical application scenarios: "Private Event Site", "Civil Office of a Small Community," "Open Government Site of a Small Town" and "Mid-sized Companies with Multiple Locations."
The BSI contracted ]init[ Digital Communication and the Fraunhofer Institute for IT Security to conduct the study. Both partners are recognized experts in IT security and the development and operation of CMS-based sites in security sensitive environments.
Dirk Stocksmeier, ]init[ CEO: “The study provides important fundamentals in the field of IT security. It will give valuable support to public authorities, minimizing the security risks in their recommendations for CMS websites and thus also strengthening the confidence of citizens in e-government services. An essential prerequisite for this is secure CMS configuration, a professional management system and regular security reviews. I think one interesting result is that IT managers should allow at least 15 minutes per site daily to check for available patches, to make backups, and to install patches. This is too often overlooked. Security must not only be taken seriously in principle, but also be shown to be part of an organisation’s everyday work."
Michael Waidner, Director of the Fraunhofer SIT: “The safety study has shown that Open Source CMS can have an adequate level of security. All Open Source CMS considered have implemented reasonable security process to fix vulnerabilities. However, the CMS should not be installed and used ‘as-is', but must be properly configured, and continuously monitored and maintained. Only proper system management and prudent use of extensions can minimize the risk of undiscovered vulnerabilities. The study provides valuable information on what IT managers need to take into consideration.”
press release, 19th Juni 2013