Home » Forums » Off Topic - Non Ubercart Issues » General Off Topic Discussion
13 replies [Last post]
Thu, 04/17/2008 - 12:08
arbel
arbel's picture
Offline
Bug FinderGetting busy with the Ubercode.
Joined: 08/12/2007
Juice: 331
Was this information Helpful?

Hello,

I'm developing an e-commerce site for a client and he needs reassurance about drupal and ubercart. Someone told him there might be security vulnerabilities and such, and I need help convincing him that open source doesn't mean insecure but the opposite, it means that its being scrutinized even more than regular corporate websites.

any one have any tips or examples of high profile e-commerce sites that use drupal?

Also the credit card transaction is going to be with a company called transizla, there's a module here already.

thanks

Idan

Top
Thu, 04/17/2008 - 12:45
#1 View page
japerry@drupal.org
japerry@drupal.org's picture
Offline
Bug FinderGetting busy with the Ubercode.Not Kulvik
Joined: 08/08/2007
Juice: 248
Re: Client asking about secuirty of drupal + ubercart

Drupal has a pretty dedicated group of security pros who receive, verify, fix, and report bugs in their software. Over the 3 years I've used drupal, I've not personally suffered from any exploits in the software, but I also make sure to keep my modules updated.

Ubercart has security bulletins as well, and the team does a pretty good job of releasing security updates when those bulletins are released.

So basically, tell your client that as long as you keep your system updated you should 'knock-on-wood' be protected from most vulnerabilities.

There is a good list of sites using ubercart here: http://www.ubercart.org/site

Top
Thu, 04/17/2008 - 13:35
#2 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Client asking about secuirty of drupal + ubercart

japerry's right on. I even get e-mails about potential vulnerabilities and check them ASAP. Warner Bros. Records is one high profile company using Drupal for its artist sites, and they're rolling out Ubercart stores as quick as they can.

Top
Thu, 04/17/2008 - 17:30
#3 View page
arbel
arbel's picture
Offline
Bug FinderGetting busy with the Ubercode.
Joined: 08/12/2007
Juice: 331
Re: Re: Client asking about secuirty of drupal + ubercart

do you have any links to the warner bros artist websites, so I can show my client? any key security items that are dealt with that I can let me client know about, I'm trying to reassure him and convince him that open source, and drupal/ubercart are secure as anything else out there.

Idan

Top
Thu, 04/17/2008 - 17:43
#4 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
Re: Re: Re: Client asking about secuirty of drupal + ubercart

There's also our website rifftrax.com that runs solely on Drupal now, and we sell quite a bit of stuff - nowhere near WB, I'm sure. I can't give you numbers but suffice it to say thousands of orders a day and tens of thousands of unique visitors a month. Haven't had an issue yet, knock on wood.

--
Help directly fund development: Donate via PayPal!

Top
Thu, 04/17/2008 - 18:00
#5 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
I'd show him the Riff Trax

I'd show him the Riff Trax site, and http://www.avengedsevenfold.com is one of the WBR artist sites. Their main site is also on Drupal. Popular Science recently converted to Drupal, too. Smiling

Top
Sun, 09/27/2009 - 08:05
#6 View page
mikeyparker
mikeyparker's picture
Offline
Joined: 09/27/2009
Juice: 6
Any thing further on this?

It's been a long time since this thread went dormant, and I've looked through the list of sites here http://www.ubercart.org/site and a few other places around the web, but am struggling to find anything reasonably high profile that's running Ubercart.

Does anyone know if this is still the case?

Cheers

Mike

Top
Mon, 09/28/2009 - 02:40
#7 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
Re: Any thing further on this?

What do you mean "Reasonably high profile?" We're using Ubercart and we've had articles and interviews in Wired, Time, countless other entertainment and technology sites and paspers, not to mention a good size article in the New York Times... http://www.nytimes.com/2007/05/06/arts/television/06newm.html

We had a nationwide theatrical show last month in 440 theaters, which is having an encore show on October 8th (probably at a theater near you)... http://www.ncm.com/Fathom/Comedy/RiffTrax_Encore.aspx

The guys that are the stars of the site also had a TV show on comedy central for about 10 years. http://www.mst3k.com

Does that count?

--
Help directly fund development: Donate via PayPal!

Top
Mon, 09/28/2009 - 06:40
#8 View page
mikeyparker
mikeyparker's picture
Offline
Joined: 09/27/2009
Juice: 6
Reasonably high profile

Thanks for the post - it's much appreciated.

We work with a UK plc and have built a number of sites for them on Drupal, one thing here though is that they're looking for a shop and want to be sure that Drupal/ Ubercart is the suitable for them.

To help with this it would be really good if I could find high profile defined as "household name/ recognizable brand". This is easy for Drupal as a website because you can just reel them off, "Nokia Research, MTV.co.uk, Sony BMG, Oxfam, Amnesty International ...". That list goes on for ever and makes for a very strong argument. I'm struggling to find anything of that stature selling online through Drupal.

Anybody know of anything?

Cheers Mike

Top
Mon, 09/28/2009 - 07:59
#9 View page
zeezhao
zeezhao's picture
Offline
Joined: 04/23/2008
Juice: 969
Re: Reasonably high profile

A few thoughts here as I think the question has two parts...

1. Security:
a. If the question is related to security, since ubercart is drupal-based, some of the security questions/answers are covered by those addressed by drupal as a whole. Its mentioned in the thread above.

b. Since most sites handle payment via 3rd party processing, payment security is addressed by individual vendors e.g. WorldPay in the UK, etc. And SSL is covered by
http://drupal.org/project/securepages
[again its just a drupal module]

So personally, my advice is to discuss this with your Client - the big selling point being drupal first.

2. Example sites using Ubercart:
- My view is that many of the "household name/ recognizable brand" sites developed their shopping sites a while ago... Hence even though ubercart is a strong candidate for them to use, such businesses did not have the opportunity to look at it. So maybe in the next revamp...?
- Its probably best to also look at the "high-profile" drupal sites going by your definition, and check the modules being used to see if ubercart.
- Many of the sites on http://www.ubercart.org/site have good examples of various uses of ubercart. [from standard sites, to customizable products; from a few nodes, to million nodes; etc]

Top
Mon, 09/28/2009 - 13:42
#10 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
mikeyparker wrote: Thanks
mikeyparker wrote:

Thanks for the post - it's much appreciated.

We work with a UK plc and have built a number of sites for them on Drupal, one thing here though is that they're looking for a shop and want to be sure that Drupal/ Ubercart is the suitable for them.

To help with this it would be really good if I could find high profile defined as "household name/ recognizable brand". This is easy for Drupal as a website because you can just reel them off, "Nokia Research, MTV.co.uk, Sony BMG, Oxfam, Amnesty International ...". That list goes on for ever and makes for a very strong argument. I'm struggling to find anything of that stature selling online through Drupal.

Anybody know of anything?

Cheers Mike

Well Ryan mentioned Warner Brothers. Surely that's a household name? (Granted, it's their "Warner Bros Records" record label that's using Drupal/Ubercart, but they are still an internationally-recognized brand, I'm willing to bet.)

Dogfish Head is fairly well known but I'm not sure if they are "household name" but I'm sure any brewer or beer aficionado knows who they are: http://www.dogfish.com/ (They use Ubercart)

NY State Senate, a government office, uses Drupal but not Ubercart: http://www.nysenate.gov/

Popular Science (well known magazine) uses Drupal: http://popsci.com/

Also the Onion uses Drupal (but I'm not sure what they use for ecommerce): http://www.theonion.com

Unfortunately I'm not sure what other "recognizable brands" you'll get at the moment, because the penetration - as far as I know - with Drupal and top names like that is still pretty small. Drupal is only now starting to really take hold and gain recognition as a solid CMS. The more that people see it and realize how great it is, the more you'll start to see really big companies using it. I don't think it's quite gotten to that point yet but it will.

--
Help directly fund development: Donate via PayPal!

Top
Mon, 09/28/2009 - 15:32
#11 View page
TR
TR's picture
Online
Bug FinderFAQ ModeratorGetting busy with the Ubercode.
Joined: 11/05/2007
Juice: 3424
Re: mikeyparker wrote: Thanks

Frankly, this client request doesn't sound like a security concern - after all, I don't see any specific questions about security being asked. Rather, it seems more like a case of "nobody ever got fired for buying IBM equipment"; they want you to provide them with protective cover in case the project fails. Which is clearly not the best way to choose a software platform. I can give you a list of a dozen world-renowned celebrities who invested with Bernie Madoff - does that make him a good choice? Sure, use a couple of the example sites in this thread as proof that a large site can be done with Drupal/Ubercart, but then move on and make the decision based on the technical merits of one solution over another, don't just be a lemming and follow the herd over the cliff.

<tr>.
Top
Mon, 09/28/2009 - 18:00
#12 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
Re: Re: mikeyparker wrote: Thanks

Point well made, TR. Smiling

--
Help directly fund development: Donate via PayPal!

Top
Tue, 09/29/2009 - 10:08
#13 View page
mikeyparker
mikeyparker's picture
Offline
Joined: 09/27/2009
Juice: 6
Not really much help

Thanks for taking the time to reply to this thread.

As TR got - we're dealing with a UK PLC and therefore the "nobody ever got fired for IBM" was the final part of the argument I needed to close this business. As it happens we closed it anyway without that final bit of reassurance.

It is a perfectly reasonable stance, and one often taken by large corporates who'd have to explain to the stock markets why they've royally screwed up when selecting a technology or partner. So they were simply looking for that reassurance beyond the trust they already have placed in us and Drupal (http://www.orangebus.co.uk) - my companies website.

And whilst TR claims it's not the best way to choose a software platform - (I'd agree) I hope I've illustrated the point that it is a part of the decision making process.

Ryan did mention warner brothers (avengedsevenfold) which doesn't actually use ubercart for the store -> http://www.bandstores.co.uk/shop/a7x/ - that's the link from their site.

Again though I appreciate everybody taking the time out to reply, and to the ubercart team for all their hard efforts in developing a great e-commerce platform.

Top