I can help you secure your website.Let me know if any help is needed on OWASP top 10 issues
Thanks Avinash On Thursday, November 14, 2013 11:12:52 PM UTC+5:30, Massimo Di Pierro wrote: > > We need to cover some of those. It is more of an issue of updating the > docs than the code. I think the code cover them all. > > On Thursday, 14 November 2013 11:03:52 UTC-6, Derek wrote: >> >> Yes, security means a lot and there are always new attack vectors. The >> 'OWASP TOP 10' changes from year to year, but it's a good start. Web2Py is >> using OWASP guidelines but that's not enough if you have a developer also >> not following those guidelines. >> >> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<https://www.google.com/url?q=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FCategory%3AOWASP_Top_Ten_Project&sa=D&sntz=1&usg=AFQjCNGpi4CK2H0KAAB2QY08PxvZINviUQ> >> The 2013 list is this: >> >> A1 Injection >> A2 Broken Authentication and Session Management >> A3 Cross-Site Scripting (XSS) >> A4 Insecure Direct Object References >> A5 Security Misconfiguration >> A6 Sensitive Data Exposure >> A7 Missing Function Level Access Control >> A8 Cross-Site Request Forgery (CSRF) >> A9 Using Components with Known Vulnerabilities >> A10 Unvalidated Redirects and Forwards >> >> >> Web2py doesn't seem to account for a few of those items, their list is >> different. >> http://www.web2py.com/book/default/chapter/01#Security<http://www.google.com/url?q=http%3A%2F%2Fwww.web2py.com%2Fbook%2Fdefault%2Fchapter%2F01%23Security&sa=D&sntz=1&usg=AFQjCNG5-zQ4FhkgO9eboylSnvd0IBZUWQ> >> >> And the security was reviewed over a year ago, so I believe the security >> status is already stale. >> http://www.pythonsecurity.org/wiki/web2py/<http://www.google.com/url?q=http%3A%2F%2Fwww.pythonsecurity.org%2Fwiki%2Fweb2py%2F&sa=D&sntz=1&usg=AFQjCNGC4Z69ZjG-5dSXRsIhcij8lVkv6g> >> >> So, would I say web2py is secure? No, but I wouldn't say Django is >> either, but they aren't listed on the OWASP website, whereas Web2py is... >> >> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-Projects-Vendors_Using_the_OWASP_Top_10<https://www.google.com/url?q=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FCategory%3AOWASP_Top_Ten_Project%23tab%3DHow_Are_Companies-Projects-Vendors_Using_the_OWASP_Top_10&sa=D&sntz=1&usg=AFQjCNHzAuw7PKkjdkESHUk-C2Ja9wRwJQ> >> >> On Thursday, November 14, 2013 3:58:08 AM UTC-7, viniciusban wrote: >>> >>> Encrypting data does not turn them secure, by itself. >>> >>> If someone has access to the cryptographic key, the encryptation worths >>> nothing. >>> >>> So, about security, you don't consider only the framework. But you DB >>> access, your server password, etc. >>> >>> On Wed, Nov 13, 2013 at 5:04 PM, sasogeek <saso...@yahoo.com> wrote: >>> > A friend wants me to build a loaning system applocation for him. This >>> raises a few flags considering that it deals with money and people's >>> personal information. But I'm particularly concerned about the security of >>> web2py... I want to be able to assure him that the system will be secure. I >>> have no experience with security or cryptography. Can I go ahead and tell >>> him that the system will be secure? Or there are some security measures I >>> can take... Like automatically encrypting data? >>> > >>> > -- >>> > Resources: >>> > - >>> > http://web2py.com<http://www.google.com/url?q=http%3A%2F%2Fweb2py.com&sa=D&sntz=1&usg=AFQjCNE7x6wflFTAQ11b-FhtMwFfvltXeg> >>> > >>> > - >>> > http://web2py.com/book<http://www.google.com/url?q=http%3A%2F%2Fweb2py.com%2Fbook&sa=D&sntz=1&usg=AFQjCNFAv433a0RL4nfaYxTbZ4cHi4Q78A>(Documentation) >>> > >>> > - >>> > http://github.com/web2py/web2py<http://www.google.com/url?q=http%3A%2F%2Fgithub.com%2Fweb2py%2Fweb2py&sa=D&sntz=1&usg=AFQjCNHSwgWBkjuiIoo30014e8BB_iCDag>(Source >>> > code) >>> > - https://code.google.com/p/web2py/issues/list (Report Issues) >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
