CMS Watch Automattic Feed

Quick: what do Joomla!, Drupal, and WordPress have in common?

kthomas@cmswatch.com(Kas Thomas) — Mon, 18 Aug 2008 11:34:00 -0400

Big Blue recently released its IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics report, and it contains more than a few eyebrow-raisers. For example: Web-application-based security vulnerabilities have begun to outnumber reports involving conventional viruses and trojans (of the kind that target the operating system). We're now at the point where 51 percent of newly discovered software vulnerabilities depend in some way on web-page interactions.

Also, there's been a sharp surge in the number of vulnerabilities that involve SQL injection (as opposed to cross-site scripting). Meanwhile, the use of infected image files (.gif or .jpg) as a way to inflict mayhem is on the decline.

What really got my attention, though, is the new Top Ten list of vendors with the most vulnerability disclosures. Normally you would expect Microsoft to be at the top of that list (I would, at least). Instead, it's at Number 3, behind Apple and... Joomla!. Fortunately, Joomla! can be secured, but it's quite possible that many novice Joomla! installers do not.

Numbers 8, 9 and 10 are interesting, as well: Drupal, WordPress, and Linux.

The finding that no fewer than four of the top ten vendors with the most reported vulnerabilities are open-source projects is, at first blush, quite striking. But the results should be viewed with caution. In part, the rankings reflect a recent change in IBM's data-gathering methodology (which the report's authors are quick to point out). Another important caveat is that the numbers are not normalized against adoption rates or installed seats or any other usage metrics. They're based on raw numbers.

It's worth remembering, too, that open source projects are extraordinarily open about security vulnerabilities. Hence you would expect a comparatively high rate of reporting for an open-source product. Finding, publishing, and fixing security vulnerabilities is something the open-source community has gotten quite good at, particularly in the Linux world, where every line of code for the entire operating system (including all encryption routines, random-number-generating code, and so on) is available free for the downloading. Security flaws in Linux tend to be found and corrected with astonishing alacrity.

On the other hand, it's striking that three of the Top Ten contenders on IBM's security worry-list have PHP in common. You can read whatever you want to into that, I suppose. I'm not a PHP expert, but I'm enough of a web developer to know that languages don't create security problems; programmers do.

If you have the time and the inclination, download the IBM report. At 85 pages, it' a well-worthwhile lunch-hour read, if you care about web-app security ... as I think we all should.

Stop the Presses: the Word is out

bloem@radagio.com(Adriaan Bloem) — Wed, 30 Jul 2008 10:51:00 -0400

Not quite hot off the wire, but WordPress version 2.6 was released two weeks ago. Given I reviewed version 2.5 for the Enterprise Social Software Report 2008, I was eager to find the answers to three questions and took my time to run it through its paces. First of all, did they finally manage to make the upgrade a painless process? And secondly, would it affirm the sense I got that blog software keeps moving toward fully-fledged WCM software?

As for that upgrade: I'm happy to report that when testing this, it was pretty flawless. In the past, it has often been a painful process, usually because of incompatibilities in either plugins or templates. Of course, this upgrade was relatively minor, but all of my plugins still worked and my templates weren't broken (though there are some possible issues, especially with the changed configuration files). I still haven't managed to get the automatic upgrading of plugins through the interface to work, though.

The second question: is blog software becoming more like "regular" WCM software? Well, WordPress has certainly come a long way since the original b2 that got the project started. As with other pure-play blog software, such as Movable Type, an increasing number of the features we tend to see in WCM software are creeping into these products. Both, for instance, now contain some rudimentary DAM functionality (enough to upload, resize, and reuse images, at least). And in 2.6, WordPress now outdoes both Movable Type and Blogger: it's the first to offer versioning. It's still pretty basic stuff, but at least you can now revert to an older version of your post or page if need be, and they've managed to keep it as easy to use as most other features in the product. I think that using WordPress as a real WCMS is still a bit too clunky, though, probably as much using a WCMS (or SharePoint) to blog. There's a serious risk WordPress might evolve into a mediocre WCMS in the future, instead of the purposeful blog software it is now.

Oh, and yes, I said three questions in that first paragraph, not just two: is Blogger ever going to catch up? In our social software report, I mentioned development of Google's blogging service has been slow. As I check the Blogger Buzz, I can't help but notice its most recent improvement has been adding Malay to the supported languages. That's nice, but if Google isn't careful, the main reason for users to stick around will be that they are stuck to their blogspot.com URL...

Blog migration: your castle is your domain

bloem@radagio.com(Adriaan Bloem) — Wed, 11 Jun 2008 14:59:00 -0400

One thing surprised me while evaluating hosted blog solutions for the Enterprise Social Software Report 2008: customers often indicate they'd like to switch to another service, but they keep putting it off. And it's not procrastination, it's because migration is quite an off-putting prospect.

For sure, switching software and especially SaaS-based systems is never something people look forward to. But with blog services such as TypePad and wordpress.com, migration is supposedly easy: they offer both export and import; even Blogger can be made to do an export with a couple of tricks, and if all else fails, you could use your blog's RSS feed as a last resort to grab the text and leave.

So what's the problem? Well, you can export from your old service, and probably import it to the new one. Getting the text across, or even comments and trackbacks, is perfectly feasible, but then there's the images and "other binaries." Which sounds innocent enough, but your service may host podcasts you probably worked hard enough on not to just throw away for some nice new features or better usability. How are you going to transfer all of that?

Then, a new "permalink" structure might break any hyperlinks to the blog and between posts. What if you were used to /month/day/title.html links which suddenly change to /category/title.html? And a switch of domain name might loose you your readers, not to mention your Google PageRank. Every once in a while you'll come across those http://adriaanbloem.blogspot.com addresses, and when you do, realize they're like the Hotel California: you can post there any time you want, but you can never leave the host. Not using their own domain is the #1 reason people don't switch to another service they might prefer.

You or your enterprise may embark on the adventure as "just an experiment" at first. Using one of the various SaaS options is not a bad way to go, but don't be lulled into the all-to-easy "we'll see, maybe we'll change it if it's a success." I can understand the rationale (blogging is supposed to be simple and straightforward, that's the whole point, isn't it?) but doing your homework might save you a lot of headaches.

Think through the various options. Be careful about the permalink structure you set up and where you host your images and podcasts. And remember that your castle is your domain: shell out that $10 and get a unique URL.

Announcing the Enterprise Social Software Report 2008

tbyrne@cmswatch.com(Tony Byrne) — Wed, 11 Jun 2008 00:00:00 -0400

The full name is actually Enterprise Social Software Report 2008: Networking & Collaboration Within and Beyond the Enterprise. Enterprises are increasingly using social tools -- some new, some not so new -- within and beyond enterprise boundaries. As one side effect, those boundaries are increasingly blurring, even though vendors still find it difficult to satisfy both internal and external scenarios.

The report evaluates 20 Social Software vendors against eleven common scenarions, weighing in at about 400 pages. Turns out there are a lot of differences among vendors and approaches. The tools may espouse a light touch, but many of the architectures are far from trivial. Our media release today highlights just one potential challenge you may face implementing at an enterprise level: the general dearth of system services (like configuration management) across this space.

The report is available for pre-order today. Subscribers will receive their copy in a week or so when the official version gets burned out.