Thanks for the question, John -- I agree that application security is
a *big* deal, and I'm all for setting a positive example! In fact,
one of our motivations in open sourcing Django was to get more eyes
on any potential security risks in Django (if indeed there are any).
Here's what I know about Django's security so far. Although I'm not
by any means a security expert, I do know quite a bit about the
common security holes in web apps (I used to be a PHP programmer --
ick).
First data point: we've been using Django for two years here in
Lawrence, and there have been no security breaches.
Second data point: because we do credit card processing our processor
just subjected us to an intensive security scan. The scan was unable
to find any issues -- even minor ones -- with Django.
Third data point: the critical pieces of Django -- request handling,
file uploads, database querying -- have all been written explicitly
with security in mind. The database layer in particular has been
specifically designed to make it *hard* to write unsafe database
code. Thus, it takes *more* effort to write code vulnerable to
injection attacks than it does to write safe code.
The upshot is that I'm very comfortable saying that we've got one of
the most secure web frameworks out there. Again, I'm not an expert
on security, so please feel free to verify my gut instincts for
yourself. In fact, if there *are* security wonks on this list, I
would *love* some sort of a security audit. If you're volunteering,
John, I'd be thrilled to provide any help I can.
Thanks!
Jacob