[development] Certify Drupal for use in Government (US) Projects
kb at 2bits.com
Tue Sep 30 15:32:05 UTC 2008
On Tue, Sep 30, 2008 at 11:14 AM, Jon Saints <saintsjd at gmail.com> wrote:
> On a recent project for the US government, half way through the development
> process, our work was stopped by a government security review which said
> that Drupal (and open source software in general) is not suitable for use in
> government projects that house personal information due to security
Apart from the "100+ since 4.0" mentioned below, what else did they
If there is a report that they issued, you can share it with the security
team for a review.
Email it to security at drupal.org.
> Because our project had been approved by higher ups within the department,
> we were paid for our work up to that point and asked to stop. Now, its up
> to the tax payers to foot a much larger bill for other developers to
> implement a proprietary and more "secure" (or secretive) solution.
> The "transparency" of the Drupal project was one of the government's big
> objections. In their eyes, disclosing and fixing securit holes in a timely
> manner, is not the same thing as security. They pointed out the 100+
> security disclosures since drupal 4.0 as a reason that the system could not
> be used. We noted that all these disclosures where quickly addressed, but
> that did not seem to matter.
> I notice other governments around the world are using Drupal with great
> success and savings to citizens:
> The standards we would need to meet with drupal are:
> My questions are the following:
> - Have any other developers run into this cerfication problem before?
> - Is anyone in the drupal community currently working to get Drupal
> certified for use in US Government projects?
> - Does anyone know exactly what cerfication would require from a
> development standpoint?
> If there is interest in investigating this type of certification further,
> let me know. NIST, the department that certifies software, is just down the
> road from me. I could go investigate further.
Khalid M. Baheyeldin
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development