Open Source Web Frameworks : Security

Question

How secure are popular open source web frameworks?

I am particularly interested in popular frameworks like Rails and DJango.

If I am building a site which is going to do heavy e-commerce, is it Ok to use frameworks like DJango and Satchmo?

Is security compromised because their open architecture ?

I know being OS does not mean being down right open to hackers, Linux uses superb authentication mechanism, but web is a different game.

What can be done in this regard?

UPDATE:

Thanks for answers guys.

I understand that I will have to find a suitable hosting service for a secure e-commerce application and that additional layers of security will be needed.

I understand that Django and Rails have been designed keeping security aspects in mind, the most common form attacks like XSS, Injections etc. (Django book has a ch on Security)

I was expecting comments from security Gurus. If you are a security Guru, would you recommend an important site, which is likely going to be popular, to be built on DJango or Rails?

Answer 1

Many people say that security through obscurity is not effective. Microsoft products, Adobe Reader, etc can be cited as evidence to prove that closed source is no more effective than open source at preventing security issues.

Many open-source advocates argue that the more eyes is better approach is one way of combating security related bugs. However, in reality when you are dealing with smaller applications or less popular both commercial or open source there are often few eyes. So there is the real danger of some black hat searching google code for a code snippet with a security hole in it.

Nonetheless, if you are using a fairly popular open source framework - I doubt it would be any more or less secure than a competing commercial product. At the very least, you may get a quicker turn around on security related bug fixes from a open source product with a very active community.

However, if you are serious about building an e-commerce site - you need multiple layers of protection. Definitely make sure that a proper firewall and an intrusion protection / detection system (IPS/IDS) is in place. You may need to pay for a hosting service that will provide security consolation and monitoring services in addition to hosting. Remember your users are your customers! Any breach could be catastrophic for the business.

Answer 2

In the testing courses I've taken (and I agree), I always been said that Open Source software are more secure since they are tested by more people and improved by more people.

Hiding the code source is not an effective way of securing an application. It could work for a specific software, but for a wide spread framework people are eventually going to figure out how things work (http://en.wikipedia.org/wiki/Reverse_engineering)

There are large scale e-business web application that use open source framework. If you are familiar with the ecommerce tools, you must know Shopify that is built using Ruby on Rails (http://weblog.rubyonrails.org/2006/6/5/shopify-is-open-for-business)

They also released ActiveMerchant :

Active Merchant is an extraction from the e-commerce system Shopify. Shopify's requirements for a simple and unified API to access dozens of different payment gateways with very different internal APIs was the chief principle in designing the library.

Active Merchant has been in production use since June 2006 and is now used in most modern Ruby applications which deal with financial transactions.

In my opinion security will be at least as good, if not better, using a framework like Rails than using a proprietary framework. I don't know about django since I never used it but I've heard that it is just as good.

Of course you'll need to keep your app secure and don't rely solely on the framework !

Answer 3

Some of the answers are only talking about open source vs. closed and security, but since you asked about specific frameworks I thought I'd comment on what I know about Rails.

There are features which indirectly compliment security and those which are explicitly designed to implement security in Rails:

1. SQL Injection - ActiveRecord is generally encouraged to access the database within Rails applications. If used properly then you avoid string concatenation problems that can lead to exploitation via SQL injection. That's one of the most common methods of attack on web applications.
2. XSS - Easy to use macros are provided to HTML encode text which users entered as well as code to scrub out JavaScript a user might have entered into fields. By using these together you help protect yourself against cross-site scripting both coming and going.
3. Cookie manipulation - The default mechanism for storage of session data in Rails is sending it to the end user in the form of cookies. However, the user cannot simply alter that data and then resend it back to the server because it is signed with a lengthy private key before sending. Any altered session data will be immediately obvious to the server.
4. CSRF - This one is complicated to explain, but Rails provides security with its forms to ensure that the incoming request is coming from a form you actually sent to the user.

There are more things, but it's good that modern frameworks like Rails have built in support to help you get a more secure web application from the start. Perhaps someone familiar with the features of Django could weigh in as well.

Answer 4

I've built several sites using Django and one storefront using Satchmo. There is no difference in security between closed and open source frameworks since all the security related information is unique to your installation.

For example, the "secret code" in your settings.py file is uniquely generated when you start your project. Its up to you to salt user passwords and to guard your encryption keys, the same as you would on any platform.

Something to note about Django is that out of the box, all form input is validated and "marked safe" via a sanitation process. You can access a form's sanitized data via its cleaned_data dictionary.

Additionally, all templates are auto-escaped HTML so the risk of injection attacks or cross-site scripting are virtually nil.

Finally, the models offer an additional security layer and validation should any rogue data get through.

And as for Satchmo, its e-commerce gateways to paypal, visa, etc. are accepted by said companies and use their APIs so they're as secure as any other payment gateway. Naturally, you need to be running an encrypted HTTPS connection to do credit card payments, but that is required universally and has nothing to do with the framework you use.