We need to cover some of those. It is more of an issue of updating the docs than the code. I think the code cover them all.
On Thursday, 14 November 2013 11:03:52 UTC-6, Derek wrote: > > Yes, security means a lot and there are always new attack vectors. The > 'OWASP TOP 10' changes from year to year, but it's a good start. Web2Py is > using OWASP guidelines but that's not enough if you have a developer also > not following those guidelines. > > https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project > The 2013 list is this: > > A1 Injection > A2 Broken Authentication and Session Management > A3 Cross-Site Scripting (XSS) > A4 Insecure Direct Object References > A5 Security Misconfiguration > A6 Sensitive Data Exposure > A7 Missing Function Level Access Control > A8 Cross-Site Request Forgery (CSRF) > A9 Using Components with Known Vulnerabilities > A10 Unvalidated Redirects and Forwards > > > Web2py doesn't seem to account for a few of those items, their list is > different. > http://www.web2py.com/book/default/chapter/01#Security > > And the security was reviewed over a year ago, so I believe the security > status is already stale. > http://www.pythonsecurity.org/wiki/web2py/ > > So, would I say web2py is secure? No, but I wouldn't say Django is either, > but they aren't listed on the OWASP website, whereas Web2py is... > > https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-Projects-Vendors_Using_the_OWASP_Top_10 > > On Thursday, November 14, 2013 3:58:08 AM UTC-7, viniciusban wrote: >> >> Encrypting data does not turn them secure, by itself. >> >> If someone has access to the cryptographic key, the encryptation worths >> nothing. >> >> So, about security, you don't consider only the framework. But you DB >> access, your server password, etc. >> >> On Wed, Nov 13, 2013 at 5:04 PM, sasogeek <saso...@yahoo.com> wrote: >> > A friend wants me to build a loaning system applocation for him. This >> raises a few flags considering that it deals with money and people's >> personal information. But I'm particularly concerned about the security of >> web2py... I want to be able to assure him that the system will be secure. I >> have no experience with security or cryptography. Can I go ahead and tell >> him that the system will be secure? Or there are some security measures I >> can take... Like automatically encrypting data? >> > >> > -- >> > Resources: >> > - http://web2py.com >> > - http://web2py.com/book (Documentation) >> > - http://github.com/web2py/web2py (Source code) >> > - https://code.google.com/p/web2py/issues/list (Report Issues) >> > --- >> > You received this message because you are subscribed to the Google >> Groups "web2py-users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to web2py+un...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
