Website Security: Open Source v. SaaS

How to choose a secure CMS platform.

Which is more secure? Drupal or Wix? Squarespace or Wordpress? Open source platforms allow anyone to access the source code of the platform, the good and the bad. New vulnerabilities are quickly taken advantage of, but they’re also quickly discovered and fixed by engaged members of the development community in addition to the platform’s core team.

SaaS platforms, or proprietary platforms, keep access to their code closed off. When security vulnerabilities are discovered, they can only be fixed by the platform’s core team.

So, which is more secure? Open source or closed source?

Open Source Website Security

If you look at the numbers objectively, it appears as though open source platforms are more vulnerable. According to Sucuri’s 2018 Hacked Website Report, the three most infected platforms were Wordpress, Magento, and Joomla! - all open source.

However, Sucuri does mention in their report that the popularity of these platforms plays a significant role in their data. According to Builtwith, Wordpress accounts for about 50% of the internet worldwide. Similarly, Magento and Joomla! (both of which reported infected website percentages of less than 5% compared to Wordpress’s 90%) are both among the most popularly used platforms.

Open source websites (especially Wordpress) have a significant vulnerability: the responsibility of the website owner. According to the same Sucuri report, the main causes of hacked websites were site owners not updating their websites, neglecting extensions, or not being aware of baseline website security practices.

Unlike proprietary websites, which own the security of their own platform and update beneath you, open source platforms require constant and deliberate updates on the part of the owner. This includes:

  • Deploying new system patches
  • Updating extensions, plugins, and API’s
  • Migrating off of unsupported platform versions
  • Site permissions and administrator management

As secure as the platform technology itself is, if the administrator doesn't provide the proper maintenance it can become vulnerable very quickly.

Which Open Source Platforms Are Most Secure?

Both open source and SaaS platforms are supported by a core team of developers. The core team is responsible for supporting the platform by releasing patches that keep the platform optimized and update any exposed security vulnerabilities. If a platform’s core team is regularly releasing patches, it’s a good indicator of the strength of the website’s security.

Open source platforms that are supported by a large, active, development community are generally more secure. By allowing everyone to access the code, the number of developers working on a vulnerability will be much wider than a proprietary platform. Here are a few open source CMS platforms supported by large development communities:

  • Drupal
  • Joomla!
  • Wordpress

SaaS Website Security

SaaS platforms manage their own security with platform updates. These happen underneath you regularly, and if you’re using a SaaS platform right now it’s likely that you’ve never noticed them. Because SaaS platforms manage their own security updates, which can include system patches, hosting, and extension updates, the responsibility for maintaining security rests with their team - not yours. While this means less conscious monitoring, for some websites the lack of control can be a detriment.

Generally, SaaS platforms don’t know the specifics of your website. They need to be able to blindly apply system upgrades and update components without potentially breaking your site. That means they need to know exactly what components are installed and in use, so they control the core and most extensions. You might only get to adapt your website via API or their tools. This is why they have much more limited ability to integrate and customize.

Which SaaS Platforms are Most Secure?

Generally, the overall security of a SaaS platform can be judged based on its history and the dedication of its core team. Here are a few SaaS platforms supported by a dedicated core team of developers:

  • Squarespace
  • AEM
  • Wix

Building a More Secure Website

Website security is a major risk area for most companies. You are liable for the site you manage, it impacts SEO, your user’s experience, and the overall performance of your website. No one wants to be vulnerable, and the best way to protect your website is to keep it up-to-date, and to build with reliable tools.