gi0baro
commented
7 years ago @GiantCrocodile what do you mean?
Closed GiantCrocodile closed 4 years ago
gi0baro
commented
7 years ago @GiantCrocodile what do you mean?
GiantCrocodile
commented
7 years ago Well I mean that we need a security audit on first stable release: Version 1 is the first version which can be used in productive environment and so we need to be sure weppy has no security holes inside. Previous versions didn't fulfill this requirement as you already mention yourself in README because it is in beta:
Status of the project
weppy is currently released in beta stage. What does that mean?
That the code may contain noteworthy bugs
That you can use it on production, but cannot blame the developers if something goes wrong@GiantCrocodile ok, I understand. But I meant: who and how should perform this audit? And also, how I should judge it valid?
Marlysson
commented
7 years ago @gi0baro should make how web2py , get the issues security from owasp and integrate..
GiantCrocodile
commented
7 years ago Sorry for my late response here. I've been busy so far. I don't know how to organize such a security audit. Maybe we have someone over here who wants to check this project in detail or there is some community who is interested in this. I just created an issue for this to make sure this isn't forgotten (at least thought about it) before releasing it. On the other hand maybe there is a nice automated tool to test for basic security principles in python source or byte code like there is for other languages and projects?
gcmurphy
commented
6 years ago A couple of good steps you could take is to introduce Bandit into your CI pipeline. Additionally I'd look at leveraging something like pipenv to check for vulnerable dependencies (or the underlying lib it uses to do this).
see title