Crownpeak Logo Posted by Crownpeak April 26, 2022

Why Security is the #1 Threat to Your Open Source CMS

There are many things that keep IT leaders up at night, but security breaches remain high on the list. Whether it’s high-profile breaches like those experienced by Equifax or Target, or local companies trying to thwart hackers from breaking into their systems, no company is safe. According to Cybersecurity Ventures, global cybercrime costs are predicted to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. 

While phishing and social engineering are well-publicized and far-too-common tools for hackers, a critical point of vulnerability for many companies is their own content management system (CMS). The growth of hackers is especially concerning for companies that use open-source CMS, like WordPress or Drupal, to manage their websites. While these technologies offer certain benefits, including ease of use, availability of code bases and a plethora of plugins, they can also expose companies to a multitude of content management system security threats. 

The very nature of open source is that it’s open. That means everyone has access to the code base, including hackers. Most open-source CMS rely on plugins to add new features, including key capabilities such as security. But plugins come from a lot of different vendors, and no single developer has full system knowledge or accountability if and when something goes wrong. Some of the most popular WordPress and Drupal plugins - used to support core functionality such as forms and image sliders - have a well-documented history of security problems.

Open-source plugins may provide an easy way to cater to all your functional requirements, but do you really know who designed them or how careful they were to ensure they are secure?

With open-source software, it’s easier for hackers to go in, figure out back doors to access sensitive data, and exploit it for their gain. If you trust that your open-source CMS and plugins have the protection needed in today’s world, you are taking a big leap of faith.

While the low up-front costs associated with open-source CMSs like Drupal and WordPress are often attractive to small to mid-sized companies (and the digital agencies that often support them), the larger your company and the larger your customer base, the greater your risk—and potential financial and customer loss – from remaining on these open-source CMS platforms. The truth is, the native vulnerabilities of open-source CMS and the cost and complexity of securing them, expose companies of all sizes, as well as their partners and customers, to greater risk. 

As more commerce and customer interaction has moved online during the pandemic, it’s sad, but not surprising, that 2021 was a record year for data breaches and other hacks such as ransomeware attacks. CMS vulnerability is of huge concern for corporate executives since, if your company’s CMS doesn’t have secure application service infrastructure, it’s like providing an open door for hackers. 

Hackers have the same information and access to patches as you do

The availability of patches online is great for quickly fixing problems. But every time a security vulnerability is published and a patch is released, hackers go into action. They know that not everyone will apply the patch in a timely way. 

Companies often fall behind installing patches for many reasons, including the time, cost, and complexity involved. As soon as a patch is posted online, hackers jump in and exploit these same weaknesses for everyone who has not yet run the patch. This means that speed in applying patches is critical. Think of it this way, if your IT department is distracted or focused on other priorities and doesn’t install patches right away, it’s like walking away and leaving the keys dangling in your lock. When it comes to security patches, hackers make it their job to get to them first.

For instance, Drupal security took a big hit due to a vulnerability in Drupal 7’s database abstraction API that allowed an attacker to send specially crafted requests resulting in arbitrary SQL execution. The vulnerability was so severe it was referred to as Drupalgeddon, and as everyone on Drupal 7 learned the hard way, you have to move quickly to install patches to beat the hackers to the punch. Estimates on the cost and number of websites impacted vary, but up to 12 million websites may have been compromised.

These issues can be very costly to your company, both financially and from a corporate reputation perspective. Without secure content management, you might incur website downtime, your entire e-business could be ground to a halt if credit card processing is paused, customer data can be stolen (which can tarnish your company’s reputation, impact customer retention or lead to hefty fines), and the subsequent costs of customer service and providing free credit monitoring to impacted customers can be significant. You might even have to launch an advertising campaign designed to build back your reputation. 

Whether it’s coverage in the press that tarnishes your reputation – Yahoo had 3 billion accounts hacked in 2017, First American Financial Corporation reportedly leaked 885 million in 2019, and LinkedIn had 700 million users’ data leaked in 2021 – or, even worse, customers experiencing financial losses or identity theft because of your security breach, it’s your company’s reputation on the line. 

The costs and time involved when hackers exploit weaknesses in open-source CMS platforms can be a big hit to a company’s bottom line as well, with website down-time and added IT resources to mop up the mess and get things back in running order. A study from the Ponemon Institute found that the cost of a data breach in 2021 was US$ 4.24 million, which is a 10% rise from the average cost in 2019 which was $3.86 million. It’s worth noting that one of the top causes of data breaches in 2021 was vulnerabilities in third-party software. 

Protect your company and your customers against open-source CMS security weaknesses with a secure, decoupled SaaS CMS 

While open-source CMS might be a starting point for a small company or digital agency, the risks associated with using open-source multiply exponentially the bigger your company and customer base becomes. To protect yourself and your customers, it is essential to have the right CMS architecture in place. A modern, decoupled SaaS-based digital experience platform (DXP), such as Crownpeak, offers the security that open-source solutions simply cannot provide.

So, what is it about a decoupled SaaS architecture that makes it so compelling from a security standpoint? 

Secure decoupled architecture separates content management from delivery

There are many benefits of a decoupled SaaS security architecture in a CMS, but one of the first to examine is the benefit of having a decoupled content deployment architecture. This means that the content management layer and the content delivery layer are separate. This is important from a security perspective because it reduces the public exposure of the platform, which reduces security risks:

  • Administrative functions and non-live content, such as stage, development, and draft are not publicly exposed. With other solutions, the software that renders the live website also typically manages all content, even pre-production, which increases exposure and vulnerability. 
  • Public-facing digital experiences can be built in a lightweight, security-focused manner, totally disconnected from the content repository, rather than having to expose an entire CMS application. 

SaaS provides fast, automatic, and reliable security updates

Here’s another place we see a major difference between open-source offerings like Drupal and WordPress and a true SaaS CMS such as Crownpeak. When Drupal, Wordpress and other open-source platforms refer to their offerings as “cloud,” they’re not providing the full story. These platforms are typically provided Platform-as-a-Service (PaaS), which means the upkeep and the maintenance of the software is on you. In contrast, with a fully managed SaaS solution you can be confident that your website has all the latest updates and security enhancements without any additional costs or worry. 

SaaS platforms have a regularly scheduled release process which means all customers automatically benefit from security patches and product updates that are done in a timely manner.

Here are five security advantages of using SaaS-based technology:  

1. Invested in your security

Because SaaS providers (unlike open-source vendors) are responsible for securing the application itself, they invest heavily in security technology and offer the most robust protections in the market, ensuring the latest security vulnerabilities are always addressed quickly – without you or your IT team having to be involved – meaning less work for you. With Crownpeak’s true SaaS CMS, you have peace of mind knowing that all your global websites are constantly up to date and protected.

2. Complete, end-to-end cybersecurity protection

Using open-source CMS means that your internal team has to manually protect against DDoS attacks and infrastructure vulnerabilities. The good news is that SaaS technology, like Crownpeak, offers a full stack of protection so you can sleep at night.

Crownpeak utilizes technologies and processes that meet the highest industry standards for security and regulatory compliance. The Crownpeak hybrid-headless CMS is built on Amazon Web Services (AWS), which means your company benefits from the world-class security and compliance protections provided by AWS.

We provide 360-degree protection for your infrastructure against cyber threats via our powerful SaaS cloud hosting platform – Crownpeak Delivery Powered by Webscale

“Everyone knows that Amazon has built their reputation on their security and data protection practices, so when we learned that Crownpeak’s platform was hosted with Amazon, we knew our customers would feel at ease.” 
Sean Brasher, Sr. Director Web Technology, Healthgrades
See customer story →

At Crownpeak, we are also actively involved in the most current industry audits, assessments and certifications that address the top-of-mind security and privacy needs including: AICPA SOC 2 Type 2, ISAE 3000, EU-US Privacy Shield, Swiss-US Privacy Shield, Better Business Bureau, ISO27001.

Crownpeak Certifications

Crownpeak has exploited the AWS infrastructure and APIs to handle security, cyber threats, scalability, and fault tolerance... New cybersecurity threats are constantly emerging, but because of their domain expertise in this area we trust Crownpeak to stay ahead of them. And because the solution is fully managed, it reduces the load on our internal IT infrastructure.”
Director of Software Development, Top Financial Services Corporation
Read case study 

3. Pain-free security updates. 

One of the challenges associated with open-source CMS is that testing of new security patches falls on your team. Applying updates and patches can be complicated, expensive and can pull the IT team from other activities. Beyond the cost of the CMS, patching requires comprehensive testing of integrations, third-party plugins and APIs. In many cases, companies push the cost down the road and simply use software that is a few years out of date. This causes its own set of problems – as, once again, users of Drupal 7 and Drupal 8 (which are both at end of life) are finding out when they contemplate the costly and disruptive upgrade to Drupal 9.

Automatic updates allow your team to focus on higher-priority activities while all the updates and patches are maintained by Crownpeak. Because the necessary security upgrades are performed by us, you can be confident knowing that the latest versions and new features will always be automatically updated.

4. Your website doesn’t break – no disruption / no downtime. 

With open source, applying security patches is notorious for breaking things. At Crownpeak, our ongoing quality processes ensure that patches and updates do not break websites. Our team tests all security patches to ensure that they don’t cause problems that might impact website performance or security. In addition, we quarantine servers to monitor updates and make sure that current processes don’t break. We allow any customer to run vulnerability and penetration tests on the Crownpeak platform at any time.

5. Eliminates hidden costs while mitigating risk.

Open-source CMS is deceptive – there are many hidden costs, and cybersecurity may be one of the riskiest aspects for your business. Crownpeak customers are protected by secure software development best practices which include formal design reviews by the internal Crownpeak security team, threat modeling, completion of risk assessment, and static code analysis as well as recurring penetration testing by carefully selected, independent experts. No unexpected IT costs, no surprises.

"With our prior architecture, there were a lot of hidden costs. With Crownpeak DXM, beyond its lower fees, SaaS delivery also means a reduced need for CMS administrators, for IT and network security team involvement, or hardware-related costs. The savings have been really significant.”
Head of Digital, Fortune 500 Corporation
Read case study → 

When it comes to website security, the old health adage applies: an ounce of prevention is worth a pound of cure. Open-source CMS can leave you exposed and vulnerable. A true SaaS CMS like Crownpeak is the key to your ongoing website wellness plan. 

We all know that internal IT departments have a ton on their plates, so why not leverage the many benefits of an enterprise-class SaaS-based CMS solution? 

Learn how your company can build and scale enterprise websites in record time without ever worrying about security or upgrades. Speak to an expert today →

Request a demo