Page 1 of 1

is it secure?

Posted: Thu Sep 24, 2009 11:41 pm
by george
just wondering whether there has been any penetration testing performed on this platform. SQL injection, XSS, etc?

George

Re: is it secure?

Posted: Thu Sep 24, 2009 11:45 pm
by george
btw, for security reason, user ID shouldn't be displayed to the public. Instead, user name should be displayed.

Re: is it secure?

Posted: Tue Sep 29, 2009 12:53 pm
by jefffischer
george wrote:just wondering whether there has been any penetration testing performed on this platform. SQL injection, XSS, etc?

George

Broadleaf Commerce uses an extendible ORM strategy based on JPA (and specifically Hibernate behind the scenes). If you drill down even further, we are entirely using prepared statements and we do not dynamically build queries at all using user input. This deals with the SQL injection issue.

As for XSS, we utilize Spring MVC as our de-facto engine for the presentation layer and even provide some out-of-the-box controllers to speed development in this area. Spring MVC has great support for protection against XSS through html escape sequences via simple configuration. This blog talks about it a bit more: http://sanjaysinghloha.blogspot.com/200 ... ng_05.html. Having said that, as an e-commerce framework, Broadleaf Commerce does not force you to use Spring MVC to create a site. Any modern Java-based MVC framework should work fine with Broadleaf Commerce, but care should be taken with any MVC framework choice to account for XSS protection.

One of our partners has built their entire e-commerce site on Broadleaf Commerce using Spring MVC and Spring Security and has utilized S3 Security (http://www.s3security.com) to perform their extensive penetration testing as part of their successful PCI certification. S3 uses several tools, one of which is Retina Scanner.