I've got a new day job and I'll be overseeing a rewrite and expansion of the existing web infrastructure for the business. I'm keenly showcasing SS as the right tool for this job, one of the final objections/questions I've got is how secure is SilverStripe/sapphire core.
With all standard disclaimers of code/server being as secure as the dev/admin who sets it all up, is there a solid review of security in SilverStripe/Sapphire that I can head towards? A third party review even better?
It's great to show the consistent comments from the core dev team all around the web on various blogs and corresponding security and point releases.
Can you point me towards a good solid review of SS in/security and/or provide me with a quick list of points to assist me in winning over this discussion and the boss man himself?
We don't really publish security audits but the core dev's are aware when audits do occur. Most of the current audits include specific project work as well so not really suitable for public release. I'll track down to see if we have a sapphire audit available.
In terms of Security issues there is a dedicated firstname.lastname@example.org setup which emails the core developers instantly so they can keep tabs on everything. Issues are normally patched ASAP to the affected branch(es), releases take a little bit longer to prepare but normally updates are available within the week. You can see http://secunia.com/advisories/search/?search=SilverStripe for a list of issues that have been reported.
2.4.4 has the latest security patches so make sure you update!
I'm aware of three code audits commissioned by clients since 2.4.0, so we've got a lot of eyes on the product at least.
I don't think you'll find a "security review" as such, I hope that any security issues would be confidentially reported to us rather than blogged as a review.