"Both cores are terrific and very secure, and and both core development teams have good response times to reported security flaws," says Rafael Diaz-Tushman, President and CEO of Dioscouri Design, which provides IT support and web development services for the Guggenheim Museum, Jazz at Lincoln Center, and other business and non-profits.
Who -- if anybody -- reviews core code in terms of security?
With Joomla, notes Andrew Eddie, a co-founder of the Joomla project and one of the major contributors to the code base, "We have a body called the JSST (Joomla Security Strike Team), and members of that performed a security review OF JOOMLA 1.6 before we released it. When new code comes in, the people doing the Commit reviews are always mindful of security issues. And there are some simple checks and balances to look for, like 'are they using the Joomla API?'"
Developing secure modules and creating secure sites
The core isn't the only code that needs to be secure, of course.
There are thousands of extensions -- third-party modules -- available for both Drupal and Joomla. Plus there's whatever additional code has gone into creating the site.
Most extensions and other code used to create a sign will be secure. But some won't be -- most likely because their creators coded their own security functions rather than using those in the core code.
"The vast majority of issues we see, especially with third-party modules, is not using Drupal's APIs properly, and not using the security features built into the Drupal core properly," says Jeff Eaton, Senior Architect, Lullabot Inc., a Drupal development and training shop whose Drupal sites include the Grammys, Martha Stewart, Fast Company magazine, and the MTV UK web site. "Everybody has to be on the alert for this. There are tools to do relatively simple code analysis to see if they're misusing APIs."
Of course, the same can be true of Joomla extensions and sites. It's possible for a third-party component to bypass the security checks that Joomla provides, just by writing poor code. Joomla has security features like a database class smart enough to check that when you pass data to it, the data is properly sanitized. But if you hard-code their connections to the database instead, without doing any checking or sanitizing, you're introducing vulnerabilities.
One concern for Joomla users is that third-party components for Joomla don't go through any formal testing by Joomla.