Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Any updates on this? I am in the process of finding a supplier to pen test, wondering if i should be prepared for anything. On Friday, October 9, 2015 at 11:26:55 AM UTC-4, Michael M wrote: > > My company has to have an outside firm Pen test all Web-Service > applications. So I am spinning up

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

My company has to have an outside firm Pen test all Web-Service applications. So I am spinning up two internal services and both are going to be tested around November before they go into Prod from Non-Prod. I'm starting talks with the InfoSec team to see if I can share the findings of the

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Niphold, i dont see where you are pointing on https://www.qualys.com/ where is the web2py app that survived the security scan ? thank you 2015-10-05 11:25 GMT+01:00 Niphlod : > here in ***undisclosed company web2py survives a > https://www.qualys.com/ security scan with

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

not really. I built some apps on web2py that are live and in production, and since EVERY app in my environment NEEDS to pass a Qualys scan to be live and production ready, I know that MY apps survive a Qualys scan with flying colors. Point being "ATM web2py does not expose any obvious/hidden

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

:) Nice to heard that! Richard On Thu, Oct 8, 2015 at 2:59 PM, Niphlod wrote: > not really. > I built some apps on web2py that are live and in production, and since > EVERY app in my environment NEEDS to pass a Qualys scan to be live and > production ready, I know that MY

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

@Antonio I think Simone just point to the tool that can be use for such purpose... You can use it over your App. From my understanding the App tested is the Ian App... Richard On Thu, Oct 8, 2015 at 1:19 PM, António Ramos wrote: > Niphold, > i dont see where you are

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

well, IMHO it really shouldn't matter. Yes, web2py, as any other mature framework, does its best to comply to security best practices. As soon as they're found, they're addressed and fixed. If you iterate long enough, you can be pretty sure that your foundations are solid ground. That being

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Just to add my perception slightly from the outside - and I'm an A1 web2py fan for life now, I've spent the last year inside it and not a lot else! But would probably take the framework up a few levels if there was a really good set of responses to this. Our app should hopefully start providing

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Thanks, just running some of their tools against our app - all good so far, if there's anything of interest I'll let you know (possibly off forum first :)) On Monday, 5 October 2015 12:25:20 UTC+2, Niphlod wrote: > > here in ***undisclosed company web2py survives a >

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

here in ***undisclosed company web2py survives a https://www.qualys.com/ security scan with no reports whatsoever. On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: > > Hi, just looking back over anything about penetration testing and web2py - > does anyone know of any recent

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

+1 it would be nice to have a blog for this type of news... 2015-10-05 15:27 GMT+02:00 Ian Ryder : > Thanks, just running some of their tools against our app - all good so > far, if there's anything of interest I'll let you know (possibly off forum > first :)) > > > On

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Hi, just looking back over anything about penetration testing and web2py - does anyone know of any recent (or any at all) testing of web2py? We're getting close to our first customers on an app we've been developing the last year so really need to try and pick it to pieces now while we have a

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Well I can't say that I have tested the current trunk version, but last December I ran a pretty exhaustive penetration test against a site developed web2py. The results were very good. No findings above low. The low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

Thank you Dave for the feedback. It would be nice to have the results of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a while people ask about this. Massimo On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: Well I can't say that I have tested the current

[web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

No but I am willing to pay to get it done. On Monday, 9 July 2012 10:48:39 UTC-5, scausten wrote: One of the awesome things about web2py is of course the built-in and well-documented resilience against a range of attack methods, but I was wondering if anyone has attempted a methodical

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

I know a few of these guys, and they relly seem to know their stuff. Let's see if they take the bait. :) They know python and webservices very well. BR, Jason Brower On 07/10/2012 01:24 AM, Massimo Di Pierro wrote: No but I am willing to pay to get it done. On Monday, 9 July 2012 10:48:39