The link above is a link to Secunia, which tracks security issues for many products.
Interpreting the data is definitely subjective, for the following reasons:
- If an application is constantly being tested and reviewed for security issues, problems will be found more quickly.
- Applications with reports of many issues may simply be tested better than others.
- Applications which are very popular will also have a greater presence, as this implies greater testing.
- Development teams that are very concientious and report issues frequently will cause a greater quantity of reports than more reserved teams.
- Development teams that refrain from reporting security issues may consider that a valid approach, by reducing the information available for malicious users.
- Some applications have fundamental issues that make them more vulnerable than others.
After reviewing the reports for an application, there are several courses of action.
- Check if the application has been compromised on your server. Immediately apply any recommended upgrades or patches.
- Review the application documentation and the site/forum for additional tips on securing the application.
- Review any appropriate server security practices.
- Determine the value of any data or content involved, with an eye toward the cost of replacement or porting to a different application. Be sure to include the cost of training, learning curve (both for users and developers), administration issues, etc.
- Consider a web application firewall such as mod_security (http://modsecurity.org).
- If you have sensitive data or ecommerce, consider a hosted solution.
An application that can power multiple sites can greatly reduce maintenance.