I’m going to focus here on the nonprofit sector, and options that are most common among nonprofits.

On the proprietary side, there are a number of options, and they fall into three categories:

1. Single-source proprietary custom CMS (from one web shop, or web host)
2. Proprietary CMS as part of a large package (such as from Convio or Blackbaud)
3. Proprietary stand-alone CMS (such as Sharepoint.)

You already know what I think about option 1, so I won’t belabor it here. Many people have found that option 2, using a large package, which includes donation pages, event management, etc. can be a really good option, and I certainly don’t want to say that this is not a good idea – I think it can be – but it also can be quite costly – and for many organizations, it’s overkill. And there are open source options that can do much of the same work for much less money.

There are not a lot of stand-alone proprietary CMS systems in nonprofits these days. Microsoft Sharepoint might be the most common I’ve heard of. Ektron is another one that I’ve heard folks talk about, as well as ExpressionEngine. The advantage of using Sharepoint for Microsoft-centric shops is that there is full integration with lots of internal network resources.

The open source options are many, but the big four: WordPress, Drupal, Joomla, and Plone, stand out from the pack. As you know, I am pretty loyal to Drupal (and secondarily, WordPress) but I have to say that Joomla and Plone are solid, wonderful projects, with great communities, and active development, and will serve you well. Check out Idealware’s newish comparison of the four – it can help you figure out what’s best based on your needs.

Other open source options that I think are worth looking at include: Alfresco, which is heavy on the document management functionality and DotNetNuke, which is based on .NET, and somewhat popular among Windows users. Two up and comers I am very interested in following include Radiant and Refinery, both based on Ruby on Rails. There is also Django-CMS, written on top of the django framework (a python framework.)

If you’re really interested in open source CMS options, and looking not for data on features, but for data on popularity, marketing, community and such (a good idea if you are, for instance, a shop deciding what CMS systems to develop with and support) check out this report from Water and Stone (a digital marketing agency.)

I think on the whole, though, the number and richness of options on the open source side is quite a bit better than that on the proprietary side, and until I get an answer to this question, I can only guess that open source options have won over proprietary ones in the nonprofit sector.

The thing that is prompting this post is the little storm about the security metric that we used to try and get a handle on the security of the 4 different systems we reviewed. More on that in a bit.

You might think that comparing four different open source packages that, in essence, do pretty the same thing (in a broad sense) would be a cakc walk. In fact, nothing could be farther from the truth. The developers of each project have completely different sets of assumptions about what the right way to do things is, and completely different philosophies and ethos when it comes to building interfaces and functionality. Making apples-to-apples comparisons of these systems was one of the most difficult analytical tasks I’ve taken on in a while (and, actually much of the heavy lifting of designing the analysis was done by Laura Quinn), and until you attempt such a thing, please be somewhat tempered in your complaints about it.

Now the security issue. One of the 12 different aspects we are comparing is “Scalability and security”. The report isn’t about security, it’s a very, very broad comparison of the systems, with security as a very small component. That’s just the context. Two (yes, just two) questions out of many relate to security.  First, a simple metric relating to security reports, and second, what processes are in place in the communities to deal with security. This wasn’t designed to be an in-dept, complex analysis of security. If it had been, we would have done a lot more work on how to measure security. On the Four Kitchens blog, they say, “While both reports above seem to identify Drupal (and Joomla! and WordPress, to be fair) as having notably bad [emphasis mine] security, they’re also both based on one superficial metric: self-reported vulnerabilities.” Now I can’t speak about the IBM report (I haven’t even read it yet), but our report says no such thing. Drupal gets a “Solid” on Scalability and security. Solid, which is only one step below Excellent. And you know why it got a “Solid”? Because, indeed, it does have more reported security vulnerabilities than Plone (as do Joomla and WordPress.)

David Geilhufe, who also takes issue with the security metric, has some good points. Yes, sheer numbers of vulnerabilities are not anywhere near the best metric of whether or not a system is secure or not. As a quick comparative look between a small number of open source systems, it’s hard to argue that it contributes no information. Four Kitchens seems to suggest that part of the reason for more vulnerabilities in Drupal compared to Plone is that it’s more popular. But, if you’ve been an observer to the Linux/Windows FUD wars, you’ll remember that Microsoft has that exact same argument about why there are more security vulnerabilities in Windows as compared to Linux. And the Linux folks say, in response, “It’s not popularity, it’s design.” I’m sure  that Four Kitchens, and most open source software developers agree with that perspective. In reviewing Plone, and talking with people who develop for Plone, I was convinced that the reason that Plone had fewer reported vulnerabilities was not just because it was less popular – it’s because it (and Python and Zope) was more secure by design.

I am completely happy with Drupal’s security (otherwise, it wouldn’t have gotten a “Solid.”) I think the Drupal community takes security extremely seriously, and if they didn’t, I wouldn’t have chosen it as a platform for development. I also think that the Joomla and WordPress communities take security seriously. In our estimation, they were all really good. But Plone was just that much better.

(from Plone/SF Integration group)

There’s a good overview of the integration on the developerforce wiki. There are 5 components to the integration:

• a couple of toolkits that provide the basic back-and-forth between Plone and Salesforce.com (they talk to Python and Zope)
• an auth plug-in that allows for Salesforce.com objects to be Plone users, credential checking, caching of user data, and syncing of data from Salesforce.com and Plone
• an integration of PloneFormGen with Salesforce.com for web-to-lead forms, etc.
• an event management product that connects with Salesforce.com
• A PayPal integration product

This is a pretty robust set of channels for data to move back and forth from Salesforce.com to Plone. There is a Plone/Salesforce.com Integration group, that keeps working on this, and a number of organization, including ONE/Northwest, have invested huge amounts of time and resources to working on this integration.

This is, for sure, one of the most robust open source CMS to CRM integrations out there, and one that seems to be getting pretty close to providing very powerful integration “out-of-the-box” – instead of having to piece things together and do customized code, which is more common than not.

I haven’t gotten my hands on this to try (not being a Plone person, I doubt I will), but folks might want to talk in comments about how straightforward the integration is, given differences in data for different instances of Salesforce.com. I don’t know how much code tweaking is required to really get this going. But in any event, it’s great that it exists, and it’s a great benchmark for CMS/CRM integration.