In the last years all of the many php-based CMS systems out there had a bad time with security issues more or less. Is SilverStripe not widely used enough for a start of these issues? Or have the makers learned from the lessons of the others and had taken special measurements in front? I'm just worried about using SilverStripe now and having to fight the whole thing again because it seems to start when a system is becoming more popular. Is there a security paper or statement - especially regarding the advanced CrossSideScripting and SQLInjection attacks?
We've moved the forum!
Please use forum.silverstripe.org for any new questions
(announcement).
The forum archive will stick around, but will be read only.
You can also use our Slack channel
or StackOverflow to ask for help.
Check out our community overview for more options to contribute.
Security issues are not strictly inherent to the language they're based on - very large-scale services run on PHP just fine (and secure). We had a pretty good track record of security-holes so far - with the one exception that was just announced on our blog. I can understand your concern, and nobody can guarantee you that any web-accessible code is 100% secure, but we're definetly conscious about the issues. As an example, we built in CSRF-protection to all of our form submissions by default.
In terms of public statements and documentation, have a look at:
http://doc.silverstripe.com/doku.php?id=secure-development
http://doc.silverstripe.com/doku.php?id=security&s=secure
http://doc.silverstripe.com/doku.php?id=security-statement&s=secure
Let us know if you've got specific questions on securing your application, or if you have advice on how we can do better in communicating our security statements or documentation!