22847 Posts in 9642 Topics by 2802 members
|Go to End|
14 December 2010 at 6:47pm
I've got a new day job and I'll be overseeing a rewrite and expansion of the existing web infrastructure for the business. I'm keenly showcasing SS as the right tool for this job, one of the final objections/questions I've got is how secure is SilverStripe/sapphire core.
With all standard disclaimers of code/server being as secure as the dev/admin who sets it all up, is there a solid review of security in SilverStripe/Sapphire that I can head towards? A third party review even better?
It's great to show the consistent comments from the core dev team all around the web on various blogs and corresponding security and point releases.
Can you point me towards a good solid review of SS in/security and/or provide me with a quick list of points to assist me in winning over this discussion and the boss man himself?
Thanks in advance guys
15 December 2010 at 12:24pm Last edited: 15 December 2010 12:26pm
We don't really publish security audits but the core dev's are aware when audits do occur. Most of the current audits include specific project work as well so not really suitable for public release. I'll track down to see if we have a sapphire audit available.
In terms of Security issues there is a dedicated email@example.com setup which emails the core developers instantly so they can keep tabs on everything. Issues are normally patched ASAP to the affected branch(es), releases take a little bit longer to prepare but normally updates are available within the week. You can see http://secunia.com/advisories/search/?search=SilverStripe for a list of issues that have been reported.
2.4.4 has the latest security patches so make sure you update!
15 December 2010 at 9:36pm
I'm aware of three code audits commissioned by clients since 2.4.0, so we've got a lot of eyes on the product at least.
I don't think you'll find a "security review" as such, I hope that any security issues would be confidentially reported to us rather than blogged as a review.
10 February 2011 at 5:36pm
Apologies for not getting back to you after you took the time to reply. With the new year and getting stuck into the day to day in Jan we only got back to this this week.
Good news is we're pushing ahead with SilverStripe/Sapphire for this project. Your replies and links were a great help
|Go to Top|