Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo

Silverstripe Security


Go to End


2 Posts   1740 Views

Avatar
freakout

Community Member, 49 Posts

1 November 2008 at 4:29am

In the last years all of the many php-based CMS systems out there had a bad time with security issues more or less. Is SilverStripe not widely used enough for a start of these issues? Or have the makers learned from the lessons of the others and had taken special measurements in front? I'm just worried about using SilverStripe now and having to fight the whole thing again because it seems to start when a system is becoming more popular. Is there a security paper or statement - especially regarding the advanced CrossSideScripting and SQLInjection attacks?

Avatar
Ingo

Forum Moderator, 801 Posts

1 November 2008 at 11:16am

Security issues are not strictly inherent to the language they're based on - very large-scale services run on PHP just fine (and secure). We had a pretty good track record of security-holes so far - with the one exception that was just announced on our blog. I can understand your concern, and nobody can guarantee you that any web-accessible code is 100% secure, but we're definetly conscious about the issues. As an example, we built in CSRF-protection to all of our form submissions by default.

In terms of public statements and documentation, have a look at:
http://doc.silverstripe.com/doku.php?id=secure-development
http://doc.silverstripe.com/doku.php?id=security&s=secure
http://doc.silverstripe.com/doku.php?id=security-statement&s=secure

Let us know if you've got specific questions on securing your application, or if you have advice on how we can do better in communicating our security statements or documentation!