CMS Security
Fred at PlanetaryServer.com
fred-/Lcn8Y7Ot68+JxQryabxnkEOCMrvLtNR at public.gmane.org
Thu Dec 31 10:39:43 EST 2009
Dan Ritter wrote:
> On Thu, Dec 31, 2009 at 06:58:44AM -0800, KyleL wrote:
>
>> Hi Everyone I have a question about CMS websites.
>>
>> My boss has asked me to create a website for a payroll company and I am not
>> about to design it from scratch so I thought my best bet would be to do it
>> through a CMS such as joomla or drupal.
>>
>>
...
> If you are handling money and/or confidential financial information,
> you should assume that no CMS framework is offering any security at all.
>
> Oh, sure, they all have at least an idea of protecting pages from view or
> edit. But their programmers weren't thinking of your threat model. They're
> thinking "Wow, if a large site gets violated, they might have to restore
> from backup. That could be painful!".
>
> This won't do if you are playing with real money. Worse if you are
> playing with access details for direct deposit systems.
>
>
Of course, if this site is set up so that it can only be access via a
VPN, then the security question is contained to how secure the VPN is,
thus eliminating any potential flaws in the CMS itself.
I would strongly recommend VPN-only access to such a payroll site, but I
don't know what his specific requirements are.
-Fred Mitchell
More information about the Discuss
mailing list