Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

How secure is SilverStripe?


Reply


4 Posts   1322 Views

Avatar
dizzystuff

Community Member, 93 Posts

14 December 2010 at 6:47pm

Hey All

I've got a new day job and I'll be overseeing a rewrite and expansion of the existing web infrastructure for the business. I'm keenly showcasing SS as the right tool for this job, one of the final objections/questions I've got is how secure is SilverStripe/sapphire core.

With all standard disclaimers of code/server being as secure as the dev/admin who sets it all up, is there a solid review of security in SilverStripe/Sapphire that I can head towards? A third party review even better?

It's great to show the consistent comments from the core dev team all around the web on various blogs and corresponding security and point releases.

Can you point me towards a good solid review of SS in/security and/or provide me with a quick list of points to assist me in winning over this discussion and the boss man himself?

Thanks in advance guys
dizzy

Avatar
Willr

Forum Moderator, 5513 Posts

15 December 2010 at 12:24pm

Edited: 15/12/2010 12:26pm

We don't really publish security audits but the core dev's are aware when audits do occur. Most of the current audits include specific project work as well so not really suitable for public release. I'll track down to see if we have a sapphire audit available.

In terms of Security issues there is a dedicated security@silverstripe.org setup which emails the core developers instantly so they can keep tabs on everything. Issues are normally patched ASAP to the affected branch(es), releases take a little bit longer to prepare but normally updates are available within the week. You can see http://secunia.com/advisories/search/?search=SilverStripe for a list of issues that have been reported.

2.4.4 has the latest security patches so make sure you update!

Avatar
Ingo

Forum Moderator, 801 Posts

15 December 2010 at 9:36pm

I'm aware of three code audits commissioned by clients since 2.4.0, so we've got a lot of eyes on the product at least.
I don't think you'll find a "security review" as such, I hope that any security issues would be confidentially reported to us rather than blogged as a review.

Avatar
dizzystuff

Community Member, 93 Posts

10 February 2011 at 5:36pm

Hi Guys

Apologies for not getting back to you after you took the time to reply. With the new year and getting stuck into the day to day in Jan we only got back to this this week.

Good news is we're pushing ahead with SilverStripe/Sapphire for this project. Your replies and links were a great help :)

Thanks
dizzystuff