Hello there! My name is Craig Younkins. I'm a summer intern at OWASP, the Open Web Application Security Project. This summer I'm working heavily on web security in Python.
First, I would like to praise Dr. Di Pierro and all the web2py contributors for their focus on security. Examining the OWASP Top 10 (http://www.web2py.com/examples/default/security) is a great way to start. Keep it up! Second, I'd like to invite the web2py community over to a site I've started about security in Python - http://www.pythonsecurity.org . The site aims to be the central hub for security in Python, and right now has a focus on web security. Inside there are articles specific to software like frameworks as well as articles related to security topics like cross-site scripting. We also have a Google Group (http:// groups.google.com/group/python-security/topics) which I encourage the developers to join. There you can get answers to your Python security questions. I hope you check it out! Lastly, I'd like to encourage you to take a look at web2py's page on PythonSecurity.org - http://www.pythonsecurity.org/wiki/web2py/ . I haven't had the time yet to examine web2py in detail, but on that page there is a pretty well-defined template of questions to be answered. Going through the list there will help the developers see areas in web2py that could use improvement, as well as documenting the strengths for other frameworks to model off of. Thanks! Craig Younkins