I do not know the answer to those questions. I can only say that at least you should test the features we claim (sql injection protection, xss protection, cross site request forgery protection, and the auth mechanism). The rest really depends on the tools and time you have available. Perhaps other users have more to say. I appreciate your interest in this.
Massimo On May 24, 10:19 pm, GoldenTiger <[email protected]> wrote: > Great!! really I 've already planned doing it because i have personal > projects that I decided doing it with web2py, instead of django. > so for my part I feel better being gratefull with you by all > knowledge, by now i got a good paid job by urgent webs, and web2py do > it easy anf funny > > My friend's company is a group of 12 hackers about 30 years old , who > really enjoy with this. I think theirs strengths are remote testing of > linux servers and web applications, the company is on Madrid (Spain), > but generally they spends most of his time along auditing systems in > another sites of Europe > > I 'll talk with them soon, and I say you > you could for example prepare a dedicated server with web2py and > probing diferrent server, os, bd, or apps . > you goes coding and you want to test. You should be say the level at > you want web2py be tested. net level? bruteforce alowed? local access? > transport level? application? if you use ubuntu, you could want > testing web2py at ubuntu, or web2py at ubuntu and cherry, and decide > if you are included or not in that > > The other way I know of testing an app is undestanding how components > are conected, and undestanding the consistency of the logic . Really > this is my preffered one ^^ It's not necessary to hack, just imagine > > On 22 mayo, 16:31, mdipierro <[email protected]> wrote: > > > I am very much interested in this. We may even find a couple of $100 > > to pay for some security testing of web2py. Let me know what we need > > to do. > > > Massimo > > > On May 22, 8:53 am, GoldenTiger <[email protected]> wrote: > > > > Well, I have been working for years as security auditor and etichal > > > hacking. Last years I decided focusing at more creative works and I > > > started personal projects. > > > I can do tests against web2py, no problem, but first I want to > > > understand the framework as well as possible. > > > a friend of mine who auditsbanksweb and networks is interested in > > > python frameworks as I said him, so they could be a good help > > > In my opinion, the most important thing in secure software is the > > > design and the logic, ( microsoft declared some windows desing flaws > > > as a not possible solution) > > > since web2py was designed 100% before implemention, I can say that > > > web2py is probably one of the most consistent frameworks today > > > :D
