TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
These forums are read-only and for archival purposes only!
Please join our new forums at discourse.kohanaframework.org
Security of Koh 3.*
  • Can anyone point me towards documentation (or fill me in) on how Kohana watches over the security of it's own code? I'm considering the use of the framework for a company that will often be going through security scrutiny, and one of the questions they'll get asked is how tight is the security of the third-party software they use. The most I can find is one sentence on the docs page "Of course, all official code is carefully written and reviewed for security." I'd love any elaboration on that.

    A couple questions to clarify the sort of info I'm hoping to find:

    What sort of security background does the security-reviewer have?

    Has Kohana 3.* ever been through a third-party security audit? If yes, does that happen regularly or just whenever a community-member would like to spring for the price tag of doing one?

    Does it have strict policies on code review for all submitted changes (including from core devs), qa for releases, etc?

    I'm aware that a dev can use any piece of software and make it insecure, so please don't open fire about that. :) Evaluation of third-party stuff is just part of the joys of an audit, and I'm wondering how well Koh might stand up to one.

  • I don't know the answer - I suspect it's not formal enough for you but core team may do more than I realise. But I'd suggest if it is that important to you that given you have the source (and given as you say a dev can make it insecure not to mention that there would easily be ways to substitute malicious packages for the official kohana source) that it would be best to consider it inside the fence of your own code review process.

    For example, if you use composer to install 3.3.1 and include the vendor folder in your own source control it will be easy to see and review diffs of any future changes in core (and any other) libraries. The kohana codebase isn't large and is well structured so I don't imagine it would add a great deal of overhead to your own code review and probably no more than documenting the external compliance, implementing package signing of some kind and verifying all the potential developer overrides.

  • Has Kohana 3.* ever been through a third-party security audit?

    We had a third party security audit on the 2.x branch, but not the 3.x branch.

    Does it have strict policies on code review for all submitted changes (including from core devs), qa for releases, etc?

    All code merged is reviewed by core devs, and we do have unit tests for releases, etc. We don't have any third party vetting process.

  • @zombor What are the costs for a third party security audit? Could be a good talking point that might be worth raising some cash for?

  • The last one we didn't pay for. The Gallery3 guys did it as part of their development process, and shared the results with us. I'm guessing it's a few thousand USD.

  • I thought Gallery3 used Kohana 3.x, no?

  • Nope, they used 2.4 back then. I don't know if they ever migrated to v3.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion