My answer to this is:

1. Protecting yourself from your users:
Zope fine grained acces control means that you can set up access restrictions that do exactly what you want and let user do what they need, and prevents them from doing what they should not.
Obviously you can also make everybody do everything, so how secure a software is in this sense is not a measure of how secure your installation is, but of how secure it CAN be.

In this sense Zope is VERY secure.

2. Protecting yourself from packet snooping:
Zope doesn't have any encryption built-in, SSL needs external software to implement fro example.

In this sense Zope can be MADE secure with some work, but is not secure at all out of the box.

3. Protecting yourself againt forceful entry:
To my knowledge, nobody has cracked open a reasonably correctly configured Zope server yet. If this is because nobody has tried or nobody has suceeded, I wouldn't know. Security by obscurity does not help against the determined hacker, but it helps against script kids, and they are a more common problem.

Zope is probably secure in this sense.

4. Protecting yourself against data loss:
The ZODB is very resilient against crashes and data loss. Making a simple backup each day is plenty.

Zope is VERY secure in this sense.

5. Protecting yourself against denial of service:
Zope does not seem to crash if you send random data to it, and I have in logs seen attemps to overflow buffers and the like that obviously are attempt to crash or break in to other (MS) servers, without this affecting Zope at all. If you don't trust Zope in this, you can put Apache in front of it.

In this sense Zope is again VERY secure.

So all in all, Zope is a pretty good choice from this standpoint. I wouldn't use it without external SSL stuff if I were a bank, but otherwise I'm perfectly confident in the stability and security of Zope.

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to