On 6/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I'm curious about the state of Pylons security, especially since > AuthKit is not ready for production yet.
Who says AuthKit is not ready for production? Did its author disrecommend it? I took a quick glance at the manual and it says. "AuthKit has not been audited by a security expert, please use with caution at your own risk (or better yet, report security holes)." But the same goes for a lot of reasonably safe Python software. Of course it would be good to hire a security specialist to audit Pylons and its commonly-used dependencies -- are you offering to do this and file bug reports? > Does pylons have the means to keep the bad guys out? I'm interesting > in using it for an e-commerce app, and you anyone can the security > requirments any e-commerce app would need. This is a very broad question and it sounds a bit demanding and condescending. There are many kinds of e-commerce apps that do different things. What kind of site are we talking about? Something that does its own credit-card transactions? It would be easier to discuss certain vulnerabilities and how well Pylons handles them, than "Is Pylons adequate for e-commerce [whatever kind of e-commerce I'm thinking of in my head]?" > Does anyone have any input > or experience with these type of security requirements for Pylons? Now that's a more practical question. As far as I know all the Pylons core developers make their living building commercial web sites, have done so for several years, and seem pretty well informed about the exploits in the industry and how to guard against them. Pylons has a lot going for it because the nature of Python limits certain classes of attacks (few large-scale buffer overflows compared to C apps, no widely-used insecure applications with well-known URLs, no wide-open security holes or inappropriate use of global variables in the web frameworks compared to the earlier versions of PHP, etc), and because we've built up a collective knowledge of things to watch out for through our experience with previous Python web frameworks over the past seven years or longer. Whether any of the developers have had specific security training, or experience with a site that does real-time credit card transactions, I don't know. I've worked on sites that do real-time transactions but not as the main developer. But the basic security needs of a site are more general than that: is sensitive information encrypted, do you remember to analyze and HTML-escape user input before displaying it back to them, are you an attentive sysadmin that checks logs and looks for suspicious activity? Much of that is not something Pylons can directly control; it's how you use the tools that matters. Mako, Genshi, and Kid all have a feature to escape data values across the board except those you specifically mark as safe. As for AuthKit, I haven't used it, but it sounds small enough that you can audit it yourself, at least from the journeyman programmer's perspective. The main vulnerabilities derive from the type of authentication chosen: plaintext password file, encrypted password file, SQL database, LDAP, etc. Each of these imply certain vulnerabilities that really overshadow how well AuthKit manages them. Meaning, AuthKit probably does a reasonably good job, but the factors outside its control are the ones most likely to bite you, and these should be looked at no matter whether you use AuthKit or some other library. -- Mike Orr <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
