Yes, security means a lot and there are always new attack vectors. The 'OWASP TOP 10' changes from year to year, but it's a good start. Web2Py is using OWASP guidelines but that's not enough if you have a developer also not following those guidelines.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The 2013 list is this: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Web2py doesn't seem to account for a few of those items, their list is different. http://www.web2py.com/book/default/chapter/01#Security And the security was reviewed over a year ago, so I believe the security status is already stale. http://www.pythonsecurity.org/wiki/web2py/ So, would I say web2py is secure? No, but I wouldn't say Django is either, but they aren't listed on the OWASP website, whereas Web2py is... https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-Projects-Vendors_Using_the_OWASP_Top_10 On Thursday, November 14, 2013 3:58:08 AM UTC-7, viniciusban wrote: > > Encrypting data does not turn them secure, by itself. > > If someone has access to the cryptographic key, the encryptation worths > nothing. > > So, about security, you don't consider only the framework. But you DB > access, your server password, etc. > > On Wed, Nov 13, 2013 at 5:04 PM, sasogeek <saso...@yahoo.com <javascript:>> > wrote: > > A friend wants me to build a loaning system applocation for him. This > raises a few flags considering that it deals with money and people's > personal information. But I'm particularly concerned about the security of > web2py... I want to be able to assure him that the system will be secure. I > have no experience with security or cryptography. Can I go ahead and tell > him that the system will be secure? Or there are some security measures I > can take... Like automatically encrypting data? > > > > -- > > Resources: > > - http://web2py.com > > - http://web2py.com/book (Documentation) > > - http://github.com/web2py/web2py (Source code) > > - https://code.google.com/p/web2py/issues/list (Report Issues) > > --- > > You received this message because you are subscribed to the Google > Groups "web2py-users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to web2py+un...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
