Forum OpenACS Q&A: Security of OpenACS [Re: Status of OpenACS]

Posted by Frank Bergmann on

I'm the founder of ]project-open[. I'd say that OpenACS is still the most secure Web platform I've ever seen (could be interesting to hear if somebody has seen better stuff recently...).

The main difference to other packages is "security by design" that alleviate the responsibility of the developer. There are several innovative solutions as part of OpenACS/]po[ that I haven't seen anywhere else:

- "Colon Variables" (check Google: "openacs colon variable") basically get rid of SQL injection issues without overhead for developers.

- "Page Contracts" separate between the "hostile Internet environment" with all the bad people living there and the protected TCL environment of the source code.

- In ]po[ we've developed and deployed intrusion detection "traps" or "sensors" in different parts of the system.

- Again in ]po[ we have developed an "Automatic Software Update Service" (like Windows Update) to keep installations up to date and to warn of known security issues. However, we are slow with adding security warnings at the moment.

- The OpenACS role-based permission system is top notch. The difference to other systems is "inheritance" with respect to groups (-> sub-groups), objects (-> sub-objects) and privileges (-> sub-privileges) (a privilege is a kind of "transaction" in SAP-speach).

- AJAX security: A centralized ]po[ REST API with built-in permissions eliminates data leaks that usually appear in all these ad-hoc data-sources that developers tend to write on the server-side to provide there mobile or AJAX applications with data.

The security features in the OpenACS registration, cookie and session management are sound and were innovative at their time, but that's pretty much standard now if you use a mature framework.

Somebody with additional security features of OpenACS? There were some articles in German language iX magazine about Web security, maybe we could extend this collection into a full-blown article?