Many people say that security through obscurity is not effective. Microsoft products, Adobe Reader, etc can be cited as evidence to prove that closed source is no more effective than open source at preventing security issues.
Many open-source advocates argue that the more eyes is better approach is one way of combating security related bugs. However, in reality when you are dealing with smaller applications or less popular both commercial or open source there are often few eyes. So there is the real danger of some black hat searching google code for a code snippet with a security hole in it.
Nonetheless, if you are using a fairly popular open source framework - I doubt it would be any more or less secure than a competing commercial product. At the very least, you may get a quicker turn around on security related bug fixes from a open source product with a very active community.
However, if you are serious about building an e-commerce site - you need multiple layers of protection. Definitely make sure that a proper firewall and an intrusion protection / detection system (IPS/IDS) is in place. You may need to pay for a hosting service that will provide security consolation and monitoring services in addition to hosting. Remember your users are your customers! Any breach could be catastrophic for the business.
还有更多的东西,但像 Rails 这样的现代框架已经内置了支持,可以帮助您从一开始就获得更安全的 Web 应用程序,这很好。 也许熟悉 Django 功能的人也可以参与进来。
Some of the answers are only talking about open source vs. closed and security, but since you asked about specific frameworks I thought I'd comment on what I know about Rails.
There are features which indirectly compliment security and those which are explicitly designed to implement security in Rails:
SQL Injection - ActiveRecord is generally encouraged to access the database within Rails applications. If used properly then you avoid string concatenation problems that can lead to exploitation via SQL injection. That's one of the most common methods of attack on web applications.
XSS - Easy to use macros are provided to HTML encode text which users entered as well as code to scrub out JavaScript a user might have entered into fields. By using these together you help protect yourself against cross-site scripting both coming and going.
Cookie manipulation - The default mechanism for storage of session data in Rails is sending it to the end user in the form of cookies. However, the user cannot simply alter that data and then resend it back to the server because it is signed with a lengthy private key before sending. Any altered session data will be immediately obvious to the server.
CSRF - This one is complicated to explain, but Rails provides security with its forms to ensure that the incoming request is coming from a form you actually sent to the user.
There are more things, but it's good that modern frameworks like Rails have built in support to help you get a more secure web application from the start. Perhaps someone familiar with the features of Django could weigh in as well.
I've built several sites using Django and one storefront using Satchmo. There is no difference in security between closed and open source frameworks since all the security related information is unique to your installation.
For example, the "secret code" in your settings.py file is uniquely generated when you start your project. Its up to you to salt user passwords and to guard your encryption keys, the same as you would on any platform.
Something to note about Django is that out of the box, all form input is validated and "marked safe" via a sanitation process. You can access a form's sanitized data via its cleaned_data dictionary.
Additionally, all templates are auto-escaped HTML so the risk of injection attacks or cross-site scripting are virtually nil.
Finally, the models offer an additional security layer and validation should any rogue data get through.
And as for Satchmo, its e-commerce gateways to paypal, visa, etc. are accepted by said companies and use their APIs so they're as secure as any other payment gateway. Naturally, you need to be running an encrypted HTTPS connection to do credit card payments, but that is required universally and has nothing to do with the framework you use.
In the testing courses I've taken (and I agree), I always been said that Open Source software are more secure since they are tested by more people and improved by more people.
Hiding the code source is not an effective way of securing an application. It could work for a specific software, but for a wide spread framework people are eventually going to figure out how things work (http://en.wikipedia.org/wiki/Reverse_engineering)
Active Merchant is an extraction from
the e-commerce system Shopify.
Shopify's requirements for a simple
and unified API to access dozens of
different payment gateways with very
different internal APIs was the chief
principle in designing the library.
Active Merchant has been in production
use since June 2006 and is now used in
most modern Ruby applications which
deal with financial transactions.
In my opinion security will be at least as good, if not better, using a framework like Rails than using a proprietary framework. I don't know about django since I never used it but I've heard that it is just as good.
Of course you'll need to keep your app secure and don't rely solely on the framework !
发布评论
评论(4)
许多人说通过模糊实现安全性并不有效。 微软产品、Adobe Reader等都可以作为证据,证明闭源在预防安全问题上并不比开源更有效。
许多开源倡导者认为,更多的关注更好方法是对抗安全相关错误的一种方法。 然而,实际上,当您处理较小的应用程序或不太流行的商业或开源应用程序时,通常很少有人关注。 因此,某些黑帽子在谷歌代码中搜索存在安全漏洞的代码片段确实存在危险。
尽管如此,如果您使用的是相当流行的开源框架 - 我怀疑它会比竞争的商业产品更安全或更不安全。 至少,您可能可以通过拥有非常活跃的社区的开源产品更快地修复与安全相关的错误。
但是,如果您认真构建电子商务网站 - 您需要多层保护。 一定要确保适当的防火墙和入侵保护/检测系统(IPS/IDS)到位。 您可能需要为托管服务付费,该服务除了托管之外还提供安全安慰和监控服务。 请记住您的用户就是您的客户! 任何违规行为都可能给企业带来灾难性的后果。
Many people say that security through obscurity is not effective. Microsoft products, Adobe Reader, etc can be cited as evidence to prove that closed source is no more effective than open source at preventing security issues.
Many open-source advocates argue that the more eyes is better approach is one way of combating security related bugs. However, in reality when you are dealing with smaller applications or less popular both commercial or open source there are often few eyes. So there is the real danger of some black hat searching google code for a code snippet with a security hole in it.
Nonetheless, if you are using a fairly popular open source framework - I doubt it would be any more or less secure than a competing commercial product. At the very least, you may get a quicker turn around on security related bug fixes from a open source product with a very active community.
However, if you are serious about building an e-commerce site - you need multiple layers of protection. Definitely make sure that a proper firewall and an intrusion protection / detection system (IPS/IDS) is in place. You may need to pay for a hosting service that will provide security consolation and monitoring services in addition to hosting. Remember your users are your customers! Any breach could be catastrophic for the business.
有些答案只是谈论开源与封闭和安全性,但既然你问了具体的框架,我想我应该评论一下我对 Rails 的了解。
有些功能可以间接补充安全性,也可以明确设计用于在 Rails 中实现安全性:
还有更多的东西,但像 Rails 这样的现代框架已经内置了支持,可以帮助您从一开始就获得更安全的 Web 应用程序,这很好。 也许熟悉 Django 功能的人也可以参与进来。
Some of the answers are only talking about open source vs. closed and security, but since you asked about specific frameworks I thought I'd comment on what I know about Rails.
There are features which indirectly compliment security and those which are explicitly designed to implement security in Rails:
There are more things, but it's good that modern frameworks like Rails have built in support to help you get a more secure web application from the start. Perhaps someone familiar with the features of Django could weigh in as well.
我使用 Django 构建了多个网站,并使用 Satchmo 构建了一个店面。 封闭式框架和开源框架之间的安全性没有区别,因为所有与安全相关的信息对于您的安装都是唯一的。
例如,settings.py 文件中的“秘密代码”是在您启动项目时唯一生成的。 您可以对用户密码加盐并保护您的加密密钥,就像在任何平台上一样。
关于 Django 需要注意的一点是,所有表单输入都是开箱即用的,并且通过卫生过程进行验证并“标记为安全”。 您可以通过表单的
cleaned_data
字典访问表单的清理数据。此外,所有模板都是自动转义的 HTML,因此注入攻击或跨站点脚本的风险几乎为零。
最后,这些模型提供了额外的安全层和验证,以防任何恶意数据通过。
至于 Satchmo,其 Paypal、Visa 等电子商务网关已被上述公司接受并使用其 API,因此它们与任何其他支付网关一样安全。 当然,您需要运行加密的 HTTPS 连接来进行信用卡支付,但这是普遍需要的,并且与您使用的框架无关。
I've built several sites using Django and one storefront using Satchmo. There is no difference in security between closed and open source frameworks since all the security related information is unique to your installation.
For example, the "secret code" in your settings.py file is uniquely generated when you start your project. Its up to you to salt user passwords and to guard your encryption keys, the same as you would on any platform.
Something to note about Django is that out of the box, all form input is validated and "marked safe" via a sanitation process. You can access a form's sanitized data via its
cleaned_data
dictionary.Additionally, all templates are auto-escaped HTML so the risk of injection attacks or cross-site scripting are virtually nil.
Finally, the models offer an additional security layer and validation should any rogue data get through.
And as for Satchmo, its e-commerce gateways to paypal, visa, etc. are accepted by said companies and use their APIs so they're as secure as any other payment gateway. Naturally, you need to be running an encrypted HTTPS connection to do credit card payments, but that is required universally and has nothing to do with the framework you use.
在我参加的测试课程中(我同意),我总是说开源软件更安全,因为它们由更多的人测试并由更多的人改进。
隐藏代码源并不是保护应用程序安全的有效方法。 它可以适用于特定的软件,但对于广泛传播的框架,人们最终会弄清楚事情是如何工作的(http://en.wikipedia.org/wiki/Reverse_engineering)
有使用开源框架的大型电子商务 Web 应用程序。 如果您熟悉电子商务工具,您一定知道使用 Ruby on Rails 构建的 Shopify (http://weblog.rubyonrails.org/2006/6/5/shopify-is-open-for-business)
他们还发布了 ActiveMerchant :
在我看来,使用 Rails 这样的框架的安全性至少会与使用专有框架一样好,甚至更好。 我不了解 django,因为我从未使用过它,但我听说它同样好。
当然,您需要保证应用程序的安全,并且不要仅仅依赖框架!
In the testing courses I've taken (and I agree), I always been said that Open Source software are more secure since they are tested by more people and improved by more people.
Hiding the code source is not an effective way of securing an application. It could work for a specific software, but for a wide spread framework people are eventually going to figure out how things work (http://en.wikipedia.org/wiki/Reverse_engineering)
There are large scale e-business web application that use open source framework. If you are familiar with the ecommerce tools, you must know Shopify that is built using Ruby on Rails (http://weblog.rubyonrails.org/2006/6/5/shopify-is-open-for-business)
They also released ActiveMerchant :
In my opinion security will be at least as good, if not better, using a framework like Rails than using a proprietary framework. I don't know about django since I never used it but I've heard that it is just as good.
Of course you'll need to keep your app secure and don't rely solely on the framework !