Open Source Web Frameworks : Security [closed]

Question

How secure are popular open source web frameworks?

I am particularly interested in popular frameworks like Rails and DJango.

If I am building a site which is going to do heavy e-commerce, is it Ok to use frameworks like DJango and Satchmo?

Is security compromised because their open architecture ?

I know being OS does not mean being down right open to hackers, Linux uses superb authentication mechanism, but web is a different game.

What can be done in this regard?

UPDATE:

Thanks for answers guys.

I understand that I will have to find a suitable hosting service for a secure e-commerce application and that additional layers of security will be needed.

I understand that Django and Rails have been designed keeping security aspects in mind, the most common form attacks like XSS, Injections etc. (Django book has a ch on Security)

I was expecting comments from security Gurus. If you are a security Guru, would you recommend an important site, which is likely going to be popular, to be built on DJango or Rails?

Answer 1

Many people say that security through obscurity is not effective. Microsoft products, Adobe Reader, etc can be cited as evidence to prove that closed source is no more effective than open source at preventing security issues.

Many open-source advocates argue that the more eyes is better approach is one way of combating security related bugs. However, in reality when you are dealing with smaller applications or less popular both commercial or open source there are often few eyes. So there is the real danger of some black hat searching google code for a code snippet with a security hole in it.

Nonetheless, if you are using a fairly popular open source framework - I doubt it would be any more or less secure than a competing commercial product. At the very least, you may get a quicker turn around on security related bug fixes from a open source product with a very active community.

However, if you are serious about building an e-commerce site - you need multiple layers of protection. Definitely make sure that a proper firewall and an intrusion protection / detection system (IPS/IDS) is in place. You may need to pay for a hosting service that will provide security consolation and monitoring services in addition to hosting. Remember your users are your customers! Any breach could be catastrophic for the business.