<div dir="ltr">I agree with your assessment of the misconceptions:<br><br>If you search their database you will see that most of vulnerabilities they are pointing to are for contributed modules. That said, this is the explanation we received. There seems to be no room to argue in this case due to deadlines for the project.<br>
<br>The Database:<br><a href="http://nvd.nist.gov/">http://nvd.nist.gov/</a><br><br>For future projects we could definitely argue to have these misconceptions clarified in the governments eyes.<br><br>Thanks<br>Jon<br><br>
<br><div class="gmail_quote">On Tue, Sep 30, 2008 at 9:24 AM, <span dir="ltr"><<a href="mailto:matt@mattfarina.com" target="_blank">matt@mattfarina.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Jon,<br>
<br>
Thanks for your interest in this. I'm interested in this as well.<br>
<br>
Some of their concerns seem to be over some misconceptions that might help to be cleared up.<br>
<br>
Someone correct me if I'm wrong but drupal 4.0 was 10 major releases ago. 100 + advisories over 10 major releases isn't as many as the 3 which the numbering might look like. Before drupal 5 the major releases were point releases and not full number releases. On top of that, the security advisories cover contributed modules and have included other libraries used by drupal modules, such as getID3.<br>
<br>
The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out. Those advisories come out on Wednesdays so they can immediately be acted on.<br>
<br>
I would be very curious as to what it would take to certification as well as their concerns.<br>
<br>
Matt<div><div></div><div><br>
<br>
Quoting Jon Saints <<a href="mailto:saintsjd@gmail.com" target="_blank">saintsjd@gmail.com</a>>:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On a recent project for the US government, half way through the development<br>
process, our work was stopped by a government security review which said<br>
that Drupal (and open source software in general) is not suitable for use in<br>
government projects that house personal information due to security<br>
concerns.<br>
<br>
Because our project had been approved by higher ups within the department,<br>
we were paid for our work up to that point and asked to stop. Now, its up<br>
to the tax payers to foot a much larger bill for other developers to<br>
implement a proprietary and more "secure" (or secretive) solution.<br>
<br>
The "transparency" of the Drupal project was one of the government's big<br>
objections. In their eyes, disclosing and fixing securit holes in a timely<br>
manner, is not the same thing as security. They pointed out the 100+<br>
security disclosures since drupal 4.0 as a reason that the system could not<br>
be used. We noted that all these disclosures where quickly addressed, but<br>
that did not seem to matter.<br>
<br>
I notice other governments around the world are using Drupal with great<br>
success and savings to citizens:<br>
<a href="http://buytaert.net/new-zealand-government-using-drupal" target="_blank">http://buytaert.net/new-zealand-government-using-drupal</a><br>
<br>
The standards we would need to meet with drupal are:<br>
<a href="http://csrc.nist.gov/groups/SMA/fisma/index.html" target="_blank">http://csrc.nist.gov/groups/SMA/fisma/index.html</a><br>
<br>
My questions are the following:<br>
- Have any other developers run into this cerfication problem before?<br>
- Is anyone in the drupal community currently working to get Drupal<br>
certified for use in US Government projects?<br>
- Does anyone know exactly what cerfication would require from a<br>
development standpoint?<br>
<br>
If there is interest in investigating this type of certification further,<br>
let me know. NIST, the department that certifies software, is just down the<br>
road from me. I could go investigate further.<br>
<br>
Thanks<br>
Jon<br>
<br>
</blockquote>
<br>
<br>
</div></div></blockquote></div><br></div>