By comparison, "There's a vetting process for new contributors who want their Drupal modules hosted on Drupal.org," says Dharmatech's Hill. "They have to apply for access to the system, and it goes through reviews. to make sure it's up to Drupal coding standards. Several people will comment on the module, and then it's marked as reviewed, and your project may get accepted. For Drupal modules, the vetting process is important and significant in reducing insecure code hosted on drupal.org."
According to Lullabot's Eaton, "The Drupal security team does not proactively evaluate all of the modules -- currently around 8,000. They do monitor modules being posted, and look at bug reports and responses for the core modules and the add-ons."
Security-checking extensions "is probably where the two platforms differ the most," says Alan Langford, Abivia Inc., a web site and web application development and hosting firm that builds, hosts, and maintains web sites, the vast majority of which are Joomla-based, and has also created a number of Joomla extensions. "With Drupal, you get a limited number of extensions where it's possible to control releases and vet for security issues. With Joomla, just about anyone can write an extension. With 6000+ Joomla extensions out there, there's no way Joomla has the volunteer resources available to conduct security audits before making extensions available."
So, says Langford, "We -- the Joomla teams -- are forced into a reactive approach. The Vulnerable Extensions List (VEL) and the VEL team are responsible for handling reports of security problems in extensions developed by third parties. When a vulnerability is confirmed, the corresponding listing in JED (the Joomla Extensions Directory) is suspended, and the vulnerability is announced on the VEL."
And if it's confirmed that a Joomla extension is vulnerable, its JED listing is currently unpublished -- until the problem has been fixed. "This has proved to be a powerful incentive to have developers fix and re-release their extensions," says Langford.
But this doesn't necessarily give Drupal sites the advantage, security-wise, Langford opines. "For a given functional requirement, a Joomla site builder might be able to choose from multiple extensions that implement that functionality. It's not very likely that one would choose to build their own solution when something is available."