<soapbox>
It seems to me that anyone asking for precedent in their own industry is
actually interested in whether Django is considered safe from things
like the OWASP Top Ten. They're not interested enough to do the research
themselves, so they're going to take an "argument from authority" as
evidence of security. That is poor decision-making in addition to faulty
logic. By their own logic, the first big company to implement Django is
obviously being foolish, because nobody else had done it yet. In
addition, really big companies with big budgets, large IT departments,
and audited compliance with all the standards get hacked regularly.
</soapbox>
The better question to ask is what kinds of security audits Django has
passed, and what (if any) regular checks are made against target-rich
parts of the system, such as the ORM. However, in the end Django is
still just a framework. It could do everything right and a developer can
make one small oversight and allow an attacker in. I guess the real
question is whether the developer is familiar with the OWASP Top Ten and
its ilk, and competent to write pretty good code.
For what it's worth, my company deals with debit cards and electronic
payments, and we use Django. However, we're not a large company, nor a
"financial firm."
Shawn
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
