There has been some upheaval recently about the security of the DNN platform. One of the commercial entities in the DNN community saw fit to send out a communiqué how they discovered ‘numerous’ loopholes and how they could fix them (for a fee). Aside from the fact that most claims were proven to be false and the dubious approach to security displayed by this entity, I’d like to take this space to argue that DNN is in fact a very secure platform. I’ll start with an excerpt from an article I wrote that was published recently:
One of the perceived weaknesses of web applications is their level of security. Although a web application itself can be extremely complex, the interaction with the client (i.e. browser) is fairly simple (the http protocol). And because of its ubiquitous nature, web applications are a favorite target of hackers. This is without doubt the primary concern of management when web applications are introduced that give remote access to the company’s data. This is an area where DotNetNuke has a lot to offer. As an open source product the security mechanisms are up to scrutiny from anyone. There is a very accessible ‘security team’ that consists of professionals from the software security industry. They operate a ‘security alert’ network so users can be notified instantly when security breaches are discovered. The fact that a new build can be made and rolled out within the space of a week means you have a highly adaptive framework with a solid capacity to react to security issues. For this reason we can consider the framework to be very secure. To further illustrate this point I should mention that I have seen DNN used in high security places like a policy force in the US. Bring2mind have also sold DNN solutions to the DoD. These customers have very rigorous standards concerning security and they opted for DNN as their platform for development.
From: “Using DotNetNuke to Build Groupware Applications”, by P.A. Donker. SDN Magazine 97 (May 2008)
So the point here is not that DNN is 100% free of holes. There is no software on earth that can claim this (or none that I heard of) with any degree of accuracy. What makes software safe is the ability of the makers to detect vulnerabilities and their ability to react to them. Regarding the former: having many eyes/installations and an accessible security team (headed by Cathal Connolly) takes care of this. The email address firstname.lastname@example.org
is continuously monitored. If you think you’ve found something, contact them. Regarding the latter: how does the DNN team make sure you are protected? Well, by providing swift updates and through a security bulletin. For the latter go to:
There is something I need to mention regarding the bulletins. You’ll note that security vulnerabilities are communicated to a wider audience with some delay. This is not laziness on the part of the security team, but done with a purpose. To ensure maximum safety you don’t want to advertize where security holes can be found. This might appear to leave you ‘in the cold’ but there is no other possibility here and this goes for all software. As you’re reading this the PC/MAC/Whatever you’re working on has numerous vulnerabilities that its makers are aware of without communicating this with you.
Rounding off I hope we can close the book on this panic attack. DNN 04.08.03 is out and resolves a couple of security issues that remained after the dust settled. We keep being vigilant for any vulnerabilities in either DotNetNuke or our own modules, but we must also guard against mass panic attacks for no good reason.
I note that I’m a part of the DNN core team effort as ‘team lead’ for the News module. I have privileged access to discussions that take place inside the core team. What I have written here reflects a week of heated discussions in both public and private forums.
See also this post: