CMS Watch Drupal Feed

Quick: what do Joomla!, Drupal, and WordPress have in common?

kthomas@cmswatch.com(Kas Thomas) — Mon, 18 Aug 2008 11:34:00 -0400

Big Blue recently released its IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics report, and it contains more than a few eyebrow-raisers. For example: Web-application-based security vulnerabilities have begun to outnumber reports involving conventional viruses and trojans (of the kind that target the operating system). We're now at the point where 51 percent of newly discovered software vulnerabilities depend in some way on web-page interactions.

Also, there's been a sharp surge in the number of vulnerabilities that involve SQL injection (as opposed to cross-site scripting). Meanwhile, the use of infected image files (.gif or .jpg) as a way to inflict mayhem is on the decline.

What really got my attention, though, is the new Top Ten list of vendors with the most vulnerability disclosures. Normally you would expect Microsoft to be at the top of that list (I would, at least). Instead, it's at Number 3, behind Apple and... Joomla!. Fortunately, Joomla! can be secured, but it's quite possible that many novice Joomla! installers do not.

Numbers 8, 9 and 10 are interesting, as well: Drupal, WordPress, and Linux.

The finding that no fewer than four of the top ten vendors with the most reported vulnerabilities are open-source projects is, at first blush, quite striking. But the results should be viewed with caution. In part, the rankings reflect a recent change in IBM's data-gathering methodology (which the report's authors are quick to point out). Another important caveat is that the numbers are not normalized against adoption rates or installed seats or any other usage metrics. They're based on raw numbers.

It's worth remembering, too, that open source projects are extraordinarily open about security vulnerabilities. Hence you would expect a comparatively high rate of reporting for an open-source product. Finding, publishing, and fixing security vulnerabilities is something the open-source community has gotten quite good at, particularly in the Linux world, where every line of code for the entire operating system (including all encryption routines, random-number-generating code, and so on) is available free for the downloading. Security flaws in Linux tend to be found and corrected with astonishing alacrity.

On the other hand, it's striking that three of the Top Ten contenders on IBM's security worry-list have PHP in common. You can read whatever you want to into that, I suppose. I'm not a PHP expert, but I'm enough of a web developer to know that languages don't create security problems; programmers do.

If you have the time and the inclination, download the IBM report. At 85 pages, it' a well-worthwhile lunch-hour read, if you care about web-app security ... as I think we all should.

Web CMS versus Social Software?

tbyrne@cmswatch.com(Tony Byrne) — Wed, 18 Jun 2008 10:10:00 -0400

People frequently ask me about where their Web Publishing efforts should end and Social Software begin. Like so many things, the answer is, "it depends." For example, one important question is whether you are talking about intranets versus a public site, which will likely exhibit very different interaction and security models.

I can certainly understand the confusion. Our recent research on Web CMS and Enterprise Social Software suggests a definite overlap from a tools perspective. But our research also found most Web CMS tools coming up short when it comes to deeper forms of Social Networking and Collaboration. (See today's press release for more details).

Meanwhile, most Social Software tools lack -- in some cases deliberately lack -- the sort of heavier-duty systems and administrative services that you would want behind an enterprise website.

Some enthusiasts argue that multidimensional platforms (like Drupal or SharePoint, to name just two) give you the best of both worlds. I disagree. But perhaps it's best to look at this less as a competition between two different types of software and more as distinct approaches to addressing two rather different objectives: one for enabling the publishing of "official" information, and the other supporting the creation and social interaction around unofficial content.

For most cases in most enterprises today, I think this means investing in two (or more) different types of tools to get you there.

Drupal, Mollom, and the Future of Blog Spam

kthomas@cmswatch.com(Kas Thomas) — Wed, 11 Jun 2008 12:39:00 -0400

Is it just me, or has anyone else been struck by the lack of attention being paid to blog comment spam?

No one needs a reminder of how severe the spam problem is with e-mail. But e-mail spam is just one piece of the spam pie. (Oh man, talk about a hard-to-swallow metaphor...) Somewhere between 80 and 90 percent of comments posted to blogs and/or wikis come from spambots or their human surrogates. Bear in mind, as technologies go, blogging is fairly new by comparison to e-mail. We're still near the beginning of the blog-spam curve.

To the extent that Social Software and Web CMS vendors sell, bundle, or pre-integrate blog and wiki solutions for you to employ beyond the firewall, they're selling you spam magnets as part of the deal. But they're not necessarily helping you with spam filtration.

You'd expect Social Software purveyors to be pioneers in this area, and some of them have decent services. But surprisingly, many of the vendors covered in our just-published Enterprise Social Software Report 2008: Networking & Collaboration Within and Beyond the Enterprise scored rather poorly on anti-spam capabilities.

Typical remedies for blog spam include comment moderation, challenge-response techniques, and automated filtering based on some combination of reputation assessment and AI-based text analysis. There are problems with all three approaches.

Moderation is tantamount to hand-processing. This is impractical in many cases and will only become more so over time.

A more practical deterrent is the CAPTCHA (a common challenge-response technique). The idea is that if you can correctly identify the letters in a deformed Gif image of a word, you're human, not a spambot, and therefore can be trusted not to post garbage. The CAPTCHA deters robots remarkably well (so far, at least), but it also deters legitimate posters to some extent. (Not everyone wants to play a word game in order to leave a comment.) It will not deter a malicious human. Offshore boilerrooms of paid CAPTCHA-breakers can (and do) still break through.

Filtering based on AI-driven text analysis can be effective for blog comments as well as e-mail. The problem with text analysis is that unless misclassification errors can be kept to just a couple of percent, you're still letting a lot of junk through. Consider a blog that receives 100 comments. Typically, 80 will be spam. An AI-based spam filter that's 90 percent accurate will let 8 bogus comments through. Since you had just 20 legitimate comments to begin with, you're left with a situation where over a quarter of your published comments (8 of 28) are bogus.

Comment spam mitigation technology is obviously a work in progress. Some interesting new work in this area is being pursued by none other than Dries Buytaert (creator of Drupal). Buytaert, along with university classmate Benjamin Schrauwen, recently introduced Mollom, a comment-filtering SaaS offering (free for non-commercial users). Buytaert and Schrauwen hold doctorates in computer science. Schrauwen's is in machine learning.

Mollom relies mostly on proprietary text analysis techniques, but takes a multi-tiered approach. When a comment arrives for analysis, it is given a score of ham (good), spam (bad), or uncertain. When the content's quality is uncertain, Mollom issues a CAPTCHA challenge to the submitter. If the submitter passes the CAPTCHA test, the content is marked as good. Buytaert and Schrauwen claim that Mollom (currently used by 1459 websites) is 99.78 percent effective.

What makes Mollom better than, say, Akismet? It's hard to know, at this point. Mollom's algorithms are a closely guarded secret (but are likely to be the original work of Schrauwen). Akismet says only that it runs "hundreds of tests" on every incoming comment (which sounds more than a bit Rube Goldberg-ish).

Mollom's most important differentiator may ultimately be its ability to act as an OpenID reputation service. For every incoming request associated with an OpenID value, Mollom updates the reputation of that ID based on the scoring of the associated comment(s). Over time, the trustworthiness of any user who has an OpenID becomes a simple table lookup rather than an elaborate exercise in artifical intelligence.

If you're in the process of selecting a Web CMS and/or Social Software vendor, and you plan to deploy public-facing blogs or wikis, be sure to take comment spam mitigation into account. Moderation of comments (by humans) is inherently costly. A SaaS service like Mollom or Akismet may not completely eliminate the need for moderation but could be money well-spent. One thing is certain: spam is something you need to budget for and architect around. Ask your vendors what kind of help you can expect from them. And don't settle for the sound of crickets chirping.

Announcing the Enterprise Social Software Report 2008

tbyrne@cmswatch.com(Tony Byrne) — Wed, 11 Jun 2008 00:00:00 -0400

The full name is actually Enterprise Social Software Report 2008: Networking & Collaboration Within and Beyond the Enterprise. Enterprises are increasingly using social tools -- some new, some not so new -- within and beyond enterprise boundaries. As one side effect, those boundaries are increasingly blurring, even though vendors still find it difficult to satisfy both internal and external scenarios.

The report evaluates 20 Social Software vendors against eleven common scenarions, weighing in at about 400 pages. Turns out there are a lot of differences among vendors and approaches. The tools may espouse a light touch, but many of the architectures are far from trivial. Our media release today highlights just one potential challenge you may face implementing at an enterprise level: the general dearth of system services (like configuration management) across this space.

The report is available for pre-order today. Subscribers will receive their copy in a week or so when the official version gets burned out.

A caution about Drupal as a social software platform

apoorvdurga@gmail.com(Apoorv Durga) — Tue, 13 May 2008 18:03:00 -0400

The open source package Drupal is one of the few social publishing platforms built on top of a longstanding Web CM (WCM) system. It has a strong foundation with a very flexible taxonomy system which -- along with thousands of 3rd-party modules -- enables you to assemble social publishing applications.

However, these modules could be your biggest problem as well because many times, module upgrades do not keep pace with Drupal upgrades. Even though Drupal has released version 6.2, many of the more popular modules are still on 5.x. These include Organic groups (for building communities or groups), MySite (module for MyPage or MyYahoo type functionality), Panels (module for creating more flexible layouts) and Views (module for creating flexible lists of content) -- all modules that are necessary for building such social publishing applications.

Meanwhile, some of the problem related to 3rd-party modules could be reduced with the new firm Acquia announcing a commercial Drupal version which will include support for many of these 3rd party modules. Even though Acquia has received a bit of publicity (and VC funding), the first release of "Carbon" (its commercial offering) won't be released until the second half of this year.

So if you are planning to employ Drupal for your social software project, pay special attention to the modules that are required and test them thoroughly on Drupal. It is quite possible that you do not need any of these 3rd party modules because Drupal also includes many modules like Blog and Forums in its core. But if you do need external modules like these, your best bet would probably be to go for Drupal 5.x (and the same holds good for those looking to upgrade from 5.x to 6.x as well). As we continue to research social software in the enterprise, look for more details in these pages on Drupal and competing platforms.

Innovations in Digital Asset Management, Circa 2008

info@databasepublish.com(Joseph Bachana) — Wed, 7 May 2008 15:51:00 -0400

The Digital Asset Management (DAM) marketplace doesn't receive a lot of attention, but DPCI's Joseph Bachana argues that some very interesting developments are transpiring. The problem is, no single vendor has a lock on how to combine all these innovations into a comprehensive offering...

Twelve Predictions for 2008

editor@cmswatch.com(The CMS Watch Analyst Team) — Tue, 18 Dec 2007 00:01:00 -0500

It's that time of year again. The CMS Watch analyst team ponders what to expect next year, and offers 12 predictions that we think will shape content technologies in 2008 -- from Google to Microsoft, Web/Enterprise 2.0, Enterprise Search, Archiving, and more...

VC funding for Drupal?

tbyrne@cmswatch.com(Tony Byrne) — Fri, 30 Nov 2007 15:03:00 -0500

I've heard from several different sources about a "hot deal" for venture capital funding of a Drupal-oriented start-up called Acquia. Acquia has been in stealth mode, but not for long -- "hot" means likely to get funded, perhaps by a consortium of VCs. Acquia ~~will release~~ has released an FAQ outlining the new company, formed with a CEO and some developers, as well as the participation of Drupal founder and über-committer Dries Buytaert as Acquia CTO. As Web CMS Report readers know, Dries is revered in the Drupal community by creating both a culture and a technical framework for the project where a thousand flowers could bloom in the form of pluggable, community-contributed "modules." Rare is the Drupal implementation without a unique bouquet of such modules.

As someone who tries to follow open source governance models I find this development fascinating. Clearly there's an opportunity here. Drupal is riding the Web 2.0 wave on two fronts: as a tool built from the ground up to support user-generated content, and (consequently) as a favored platform choice many Web 2.0 start-ups -- who sometimes found the product lacking the kind of maturity and readiness one would want to stake a business on. VCs are anxious to ride this wave. Some sort of formal commercial venture thus seems quite inevitable.

Acquia says in its FAQ that they will play nicely with the community and add new intellectual property to the project. That makes good sense for all concerned.

And yet, large raucous communities don't always cotton to even the hint of one of their members assuming a leadership mantle (or oversized share of profits) out of the blue. It's one thing when a commercial company founds a project (c.f., Zope or Alfresco) and then has to negotiate the reins with the community they fervently hoped would join the project. It's quite another for a highly distributed community to ingest a sizable commercial firm without feathers getting ruffled. I won't go out on a limb and predict the kind of turmoil and forks that befell Mambo and threaten Joomla! even today. But if you have staked your website, or even your start-up, on Drupal, you'll want to watch your interests very closely as this unfolds.

Scalability the Terracotta Way

kthomas@cmswatch.com(Kas Thomas) — Tue, 14 Aug 2007 06:23:00 -0400

One of the theoretical advantages of Java-based Portals and Content Management applications is the ability to cluster servers for better performance. But the reality is that clustering is a black art that few vendors and implementation teams really ever seem to master adequately. So it comes as a (welcome) surprise to learn of an open-source technology that delivers many (if not most) of the things customers want here, but in surprisingly quick, painless fashion, at low cost, with no need to recompile code or stay up nights learning about disturbing-sounding concepts like "STONITH" (shoot the other node in the head).

The technology in question is called Terracotta, and it works by clustering the Java Virtual Machine in such a way that even a participating JVM itself doesn't know that it has been enlisted in a coordinated effort of any kind. Through a clever bit of boot-time dependency injection, Terracotta patches a handful of core JVM memory-management bytecode instructions, achieving transparent virtualization across any number of enlisted VMs, under the control of a Terracotta server that lives in "aspect space." The Java memory model is not altered. Application code does not have to handle locks any differently or follow any special APIs, or even know that it's been clustered. Have I lost you here? Think of it this way: Instead of implementing special cluster services at the application level using product-specific APIs, Terracotta clusters the Java heap itself, underneath your applications.

It all sounds like science fiction until you try the tutorials, read the white papers and technical literature, and examine the long list of integration efforts (listed on the Terracotta website) involving other Java-based modules like Apache Lucene.

One of the more intriguing integration efforts thus far has been Geert Bevin's recent quest to achieve heretofore unknown levels of scalability and performance with the open-source Web CMS package, Drupal. Drupal is actually written in PHP, but in this case runs on Caucho's Quercus (a Java implementation of PHP), leveraging Terracotta in the cache layer. As Web CMS Report readers know, Drupal is a collaboration-intensive CMS solution of the "let's cache everything in the database" variety -- with difficult scalability problems to match. Bevin's system is highly experimental at this point, but it hints at what people might be able to accomplish with the technology.

In the meantime, other content technologies that take advantage of well-known Java subsystems like Hibernate, Tomcat, Resin, EHCache, Quartz, and so on have the most to gain by exploring Terracotta as a fast path to scalability. Individual subsystems can be tested against Terracotta separately, to find sweet spots.

It will be interesting to see how long it takes mainline ECM and Portal players (particularly those that rely heavily on Java-based infrastructure components) to include Terracotta in their "supported product configurations." I would expect the Alfrescos and Liferays of the world to stay out in front of the situation. Purveyors of complex proprietary solutions might miss the boat.

Scalability always has been (and probably always will be) the Achilles' heel of all the technologies we cover. I'll be watching to see how other communities adapt Terracotta-like notions to other well-known virtual machines (e.g., .NET). Anyone at www.mono-project.com listening?

Drupal isn't Web-2.0-in-a-box

tbyrne@cmswatch.com(Tony Byrne) — Tue, 3 Apr 2007 21:42:00 -0400

Actually, there is no Web-2.0-in-a-box. I suspect the magic alchemy of participation, critical mass, self-perpetuation, and community regulation remains beyond the reach of all but the most fairy-dusted Wikipedias and Facebooks. Of course, that doesn't stop entrepreneurs from trying, and the tool of choice for many community-oriented start-ups is the open-source CMS + Collaboration platform, Drupal. Not surprisingly, then, comes this blog entry, "Drupal considered dangerous for startups?" As both the author and numerous commenters point out, the problem isn't really Drupal -- it's the idea that generic technology alone can create a real business. At the same time, developers at those would-be "next youtubes" were probably a bit surprised at Drupal's complexity, lack of real configuration management, and its project leaders' famed reluctance to make usability improvements. You can read more about Drupal in the most recent Web CMS Report.

Announcing latest version of The Web CMS Report

tbyrne@cmswatch.com(Tony Byrne) — Tue, 20 Mar 2007 00:01:00 -0400

Today we released The Web CMS Report - 2007. That's Version 11 if you're counting. I have so much to say about the new trends, tools, and challenges we found that I'll write up a longer article about that next week. In the meantime, for a quick review of deltas from Version 10, in this new update we:

Assess how Web CMS vendors are adapting Web 2.0 tools into their stacks (and find them coming up a bit short -- see press release)
Introduce coverage of Enonic, Drupal, Joomla!, and Alfresco WCM
Evaluate MOSS 2007 as a successor to Microsoft CMS
Expand our coverage of standards, development models, and tool testing

Plus of course we update all our product evaluations, drawing heavily on the experiences of you, the customer.