Hi all, Long time no speak! Hope you're all well.
A whitepaper has just been released called the "Secure Web Application Framework Manifesto" which attempts to outline desirable security features for a web app framework. http://labs.securitycompass.com/papers/secure-web-application-framework-manifesto-v0-08.pdf I've had a go at assessing TG2 against this. Mostly from knowledge, though I have done some practical testing (e.g. on how it handles malformed URL parameters). The headline results are, out of 39 properties - TG2 fully implements 14 of these, partially implements 7 and does not implement 18 at all. A fuller analysis is here: http://spreadsheets.google.com/ccc?key=0Aqi4mvSbCLetdHJ3QUxmSlQybGdlQTl3X09pNzdha0E&hl=en Now, despite 18 fails, I think TG2 is actually pretty good for security. The manifesto is a new document and I think a lot of it's requirements will in time be redefined as "nice to have" features. But this does give some idea on areas that could be worked on to improve security, for example: HttpOnly session cookies Secure file upload feature Escaping/filtering line breaks in HTTP headers and log messages I haven't published this anywhere except this group for now. If anyone here wants to challenge the results, happy to take comments. Plan is to publish on the Webappsec group in a week or so, once people here have had a chance to comment. Best wishes, Paul -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/turbogears?hl=en.
