Sharepoint over the past 3 months has had zero hack according to the http://nvd.nist.gov/, and Sharepoint Foundation can run for free on any licensed Windows Server.
See: http://web.nvd.nist.gov/view/vuln/search-results?query=sharepoint&search_type=last3months&cves=on (as of 5/16/2011 Sharepoint had zero security vulnerabilities for the past 3 months).
If my analysis is incorrect, please feel free comment.
This doesn't seem like a very good comparison - all those vulnerabilities are in contributed modules, not Drupal core. In general, an open-source community like Drupal will be very open about security problems as well, and they get fixed quickly.
ksheirer, thank you for your comment, they are always appreciated, especially ones that use good grammar. Your point is valid, however, not all open source communities fix problems quickly. In the case of the comparision that I give between Drupal and Sharepoint, a Sharepoint engineer, developer or tester who allows debugging code to get through a release will be treated poorly. For Drupal to leave debugging code in that allows plaintext recording of passwords and allows remote attackers to gain privileges of that user, is something that should be fixed quickly. It hasn't, it has been on the book since 2/7/2011.
Please understand, my written voice may sound harsh, but that is not my intention, I really do appreciate your comment. Your comments are valid, and I do take it seriously.
Have you ever build a Drupal website yourself? I've been working as SharePoint developer and Drupal developer for years and I feel that you are completely misinformed. You are comparing closed source with open source. Both have totally different ways of dealing with security issues. In the Open Source world, bugs get announced before they are solved. So yes, it could be that an issue is unresolved for weeks. With SharePoint, they get fixed before they are announced. Or don't get fixed at all, you'll never know.
The issues you mention occur within contributed modules, of which the quality differ. Site developers have the responsibility to make a thorough selection of the modules the want to use. They have to check the quality of the code and decide if they want to use a free module or want to build a custom one. I'm sure there will be lots of custom SharePoint contributions that have security bugs.
You are comparing SharePoint core (MS only) to Drupal community (core + 9700 free modules) which doesn't make any sense. The great thing about open source is, is that you don't have to wait for Microsoft to fix an issue, but you can fix it yourself. Or pay someone to do so.
Next time you write a comparison, please choose something that can be compared.
Also, you might try searching for "drupal core" instead of just "drupal" to see the vulnerabilities recorded in Drupal's core install files, e.g.: web.nvd.nist.gov/.../search-results
Good point, however, as you can see in a post for today, NIST only allows certain keywords. The Drupal community can work with NIST to see if they can change those keywords, but Drupal Core or Drupal_Core is not one of the keywords.
In the later blog I show what the keywords are for drupal and sharepoint. For instance if I type in sharepoint foundation or sharepoint_foundation, I get no returns for either search, because these are not recognized keywords.
I think this is an excellent blog idea!
Damien, thank you for your feedback, please read my response as not harsh and respectful, your comments really are appreciated.
you are completely misinformed.
You comment is not very clear. How am I "clearly misinformed"? On what basis, there are two points being made in this blog:
1. Sharepoint has no security hits over the past 3 months according the NIST, none, and I provide the link as reference. I used the correct keyword.
2. Drupal has security hits over the past three months and I provide a link to the NIST. Again, I investigated the correct keyword and utilized it.
So, although I respect your phrase and your commenting, I would ask that you clarify your statement as to which of these statements are "misinformed".
Further in the comment section below, I do state that Sharepoint Foundation is free if your Windows Server is up to date. Is that statement misinformed?
In another comment I state: Did NIST report that there is debugging code in Drupal that would allow plaintext recording of passwords and allow remote attackers to gain privileges of that user?
If you have information that the NIST is inaccurate, please share, all of the readers will likely appreciate it. AND it will help out the community.
Or if you just wanted to make a negative statement about what I wrote, fair enough, and it is appreciated that people who use Drupal have an attachement to it. I have special attachments to Microsoft products, and I welcome your input.
I just got long winded about what you think is misinformed.
Thank you Reza, really, I do respect your input.
This isn't at all a fair comparison. Those Drupal modules aren't part of Core, and aren't maintained by the Drupal team.
What your doing is like saying, "Sharepoint has a security flaw because of a bug in the HP Printer Driver which exposes user accounts"...
Actually it is a direct comparison. The NVD uses exactly the comparison of the various products that you describe. Sharepoint is all of the Sharepoint components and the related third party vendors. When you review the NVD.NIST.GOV, you can see that vendors like Google causes a great deal of problems for Apple and Microsoft.
Sorry, but the NVD is a level playground. People have no problem using it against Microsoft, with justification, but the flip side is required as well, when open source has a problem, that also needs to be revealed.
It appears that Durpal Core needs to fix these problems or get the community to fix them. These are vulnerabilities, and ignoring them because it isn't the "Core" group is a similar approach that corporations might have. Microsoft isn't allowed to get away with that, so why should Durpal?
I'll make it short and sweet I agree with Kscheirer. Not good comparison.
Then what is a good comparison? If there are poorly created web parts with sharepoint are these the same as poorly created durpal modules? If that is the case then why not work with the NIST.GOV, as a community, and fix that reporting problem.
Or, I did review the current listing of errors in sharepoint, using the same string, there were some security vulnerabilites shown. Most of them related to the use of Excel in sharepoint. Excel and Sharepoint are not the same products. One could make the case that Excel is a "Module" of sharepoint.
Respectfully, I ask that a reasonable comparison process be given to me and I would use it. However, it appears that products that are clearly not sharepoint are listed in the NVD for sharepoint. I ask: How is that not a good comparison? Maybe the better solution would be to make sure that the fixes are posted so others know that the Drupal core is secure as well as the modules other's might use.