It’s an election year, and we know you may be tired of hearing debates, watching debates, or even engaging in debates… there's seemingly no end in sight!

We understand, and would like to change the “debate,” or at least, talk about another kind of debate—the debate about open source and security. After all, security is an integral part of today’s IT landscape and all development phases, and since open source has become more prevalent in software development, it's key to address how the two intersperse.

The BlackMesh team has written extensively about security in the past, but it’s such a wide and varying topic that we haven’t shared our thoughts on the potential for cyber threats and issues and one of our favorite CMS platforms, Drupal.

We at BlackMesh love collaboration—whether it’s with team members, partners, customers, or especially the Drupal community. That’s one reason why open source is so great; as BlackMesh CTO Jason Ford says, “Without Drupal, BlackMesh wouldn’t be where it is today. Coupling Drupal with Security has been one of our focuses in the last few years, which has resulted in two significant outcomes—a FedRAMP-moderate PaaS certification and our very own Cathy Theys on the Drupal Security team.” Having ideas and unique capabilities expounded upon by global experts ranging across all sectors and enterprises makes Drupal what it is.

However, it's this collaborative nature of open source that leads some to have security concerns. If a source is “open” and publicly available, it may be accessible to malicious hackers. The conventional wisdom being private or closed source applications would prevent such access by these threats.

We hate to break it to you, but any software—whether open or closed source—can be at risk of cyber threats, just in different ways. However, the collaborative open source aspect of Drupal, for example, makes the framework stronger, more defensive, and quick to react to any potential issues; the Drupal community has done great work in regard to security and preventing hacks, but it's an ongoing battle. As with any software, platform, or general aspect of IT management, the greatest measure for fighting this battle for security is to be proactive.

BlackMesh’s Drupal Community Liaison, Cathy Theys, has been heavily involved in Drupal development for years, and has seen the kind of progress and ingenuity the platform’s contributors have introduced in regard to security. “With about 40 members, the Drupal Security team is a very collaborative group of skilled people,” said Cathy. “Over the years, the team has developed good methods of doing our job—whether it’s coordinating security issues and advisories, resolving security issues, or doing education to help prevent security issues.”

With the mindset of keeping applications safe from outside attacks, from DDoS to cross-site scripting hacks, BlackMesh has always focused on industry standard security practices as a baseline to every system running on our network. Much like having caching in layers (which Drupal loves), layering security techniques such as NIST or CIS frameworks on top of hardware appliances that do intrusion, prevention, and DDoS mitigation, keeps applications with BlackMesh safer.

Major news for Drupal came in November of 2015, when Drupal 8 was released. With Drupal 8’s launch, we’re seeing innovative improvements to the system’s security efforts. Steps to achieve optimal security came from the open source community. The Drupal 8 Security Bug Bounty program, for example (remember that?), used crowdsourcing techniques by the Drupal community to validate the system and check for bugs. This is a great example of how the open source Drupal community worked together to make the system stronger and more secure for the D8 upgrade, without sacrificing security features from the previous versions. Help from open source contributors also made security advancements—like using Twig templates for creating HTML and removing PHP input format restrictions—possible for the most recent version of Drupal.

The open source security debate will continue. But so will the evolution of code and resources contributed by the Drupal community. With knowledgeable Drupal community members like the Drupal Association and BlackMesh remaining committed to security, open source can and will remain prepared to handle the most sophisticated security threats.

Sponsored content, like this post, is made possible by contributions to our Hosting Supporter Program. Its program fees support the Drupal.org Tech Team, which maintains, optimizes, and improves Drupal.org.