What about OWASP Top 10

[danny]

Lift is very safe (so Lift says) how good is Play 2 at OWASP Top
10 ?

Thanks
Danny

[Julien Tournay]

Hi,

A1-Injection

Every single language out here has an API escaping SQL parameters. This is typically an bad usage of those API (building query using string concat).

No framework will protect you from being stupid, but some API makes it easy to have injection issues (PHP).

A2-Cross Site Scripting (XSS)

Typically not directly related to your web framework, it's more a template engine issue. Play default engine escapes HTML by default.

Any decent template engine should do that by default, jsp does not...

A3-Broken Authentication and Session Management

Again, fwk can give you nice API's and helpers, but pretty much every app out there manage auth differently. It's up to you to do it correctly.

A4-Insecure Direct Object References

Again, app dev error. The fwk can't do much for you here.

A5-Cross Site Request Forgery (CSRF)I've made a module for that https://github.com/jto/CSRF. But again, if you do database updates on GET requests, too bad for you.

A6-Security Misconfiguration

Dev error. Fwk can't do much. Typical example, for years, the most common security issue on mysql was people not changing the default root password (which was no password).

A7-Insecure Cryptographic Storage

Once again, it's up to you to decide what to crypt and what not. Play has Helpers.

A8-Failure to Restrict URL Access

The security class should help.

A9-Insufficient Transport Layer Protection

HTTPS conf issue. Not even closely related to the web framework you choosed.

A10-Unvalidated Redirects and Forwards
Again, the fwk just can't prevent you from doing this.

Summarizing, I really don't like people claiming that your app is secured just because you're using their framework.

It's giving developer a false feeling of security, while for most vulnerabilities, the framework can help, but can't prevent you from doing something stupid.

jto.