Drupal is a mature open-source CMS and framework powering hundreds of thousands of sites on the web. Through peer-review and a growing community of driven experts and enthusiasts, Drupal’s core systems have been strengthened to mitigate common vulnerabilities. Drupal addresses the critical security risks, including the Top 10 identified by the Open Web Application Security Project (OWASP), with professionally audited methods. Drupal has proven to be a secure and strong solution for enterprise needs.

This paper provides an analysis of the current state of Drupal security. Decision makers evaluating Drupal for use as a content management system or framework solution are encouraged to use this document in their decision process. The analysis includes historical vulnerability data with respect to mitigation techniques, common and critical security risks, and the community-driven procedures unique to Drupal.