"The Drupal community is very serious about security and there is a Security Team that includes original creator Dries Buytaert and other major contributors to the platform," says Justin Powell, who runs Twin Red Media LLC, a small boutique agency that has standardized in Drupal.
[ See also: Drupal's Dries Buytaert on Building the Next Drupal ]
The team's primary goal, says Powell, "is to identify and resolve security issues in Drupal Core and contributed modules. They provide assistance to module developers in resolving security issues and provide documentation to the community on how to write secure code to start with. The efforts of the Security Team have resulted in pretty frequent software updates to keep Drupal code secure."
Some security features and concerns reflect the two CMS's slightly differing approaches.
"Joomla is focused on basic content management and security is based on purely access control," says Christopher Justice, Chief Executive Officer, Sparksight, Inc., a full-service creative and design advertising agency. (Justice has also been a member of the Open Source Matters non-profit board of directors that manages the financial and legal aspects of the Joomla project, and a contributor to various core team discussions and strategies in the Joomla core team, the engineering hub and spoke for Joomla. And, Justice notes, he has been doing content management since the mid-1990s, and estimates he has used "about 170 or more CMSs by now.") "The group and role features of Joomla 1.6 are evolutionary but still limited to the security of content (articles). Joomla needs so much more... the new Nooku platform for creating Joomla extensions may be the answer."
By contrast, says Justice, "In Drupal, everything that exists is an object, and that object can be a variety of types, content, media, applications, application programming interfaces (APIs) and more. The security principles with Drupal are designed to integrate with third-party applications in a more flexible, modern and secure way."
Keeping core code secure
"Core code" refers to what you get when you download Joomla or download Drupal. You'll probably supplement these with third-party extensions, some code of your own, and configurations and settings, but the "core" is what the projects' main teams develop.