Last post May 26, 2006 02:30 AM by DJDoug
May 17, 2006 09:30 AM|weasel|LINK
I work at a company that is new to open source. We currently have MS CMS and MS Sharepoint in house and are looking to upgrade to the next release of SP next year. Recently we have had some interest in DNN. My question is there any sites in production of
a financial nature? Say 401k, Health, Benefits? I would really be interested in discussing any technical hurdles they found with regards to security. We need to keep everything as secure as possible and have a 3rd party security audit every other year, or
after major releases.
I am interested in the open source initiative, but security is a major issue. I realize that with CMS and SP and the MS world, I may not be as secure as I think. But, from a liability perspective I have a vendor that I can jump on if there is a real issue.
Also, from a legal perspective I can go after the vendor if they have produced a unsecured environment. I guess what I’m trying to say that contractually I have leverage with a vendor whereas I don't know if I have that leverage with an open source product.
I hope that all made sense :-)
Thanks for any replies!
May 18, 2006 08:23 PM|photo_tom|LINK
I know of a few.
I sell the SSL_module on Snowcovered and I've had discussions with a few companies in your area interest.
As far as I know, they are happy with DNN. I would keep the following points in mind -
ALWAYS use https communication for secure
monitoring this forum for a couple of years (DNN1 days), I've not seen reports of people hacking DNN.
In version 4, the security is very good. Also I believe that DNN login now has a login lockout if too many tries are made to guess userid/password
security system is based on "member roles" and with this you can fine tune access not only to page, but to module on the page.
While there is no one vendor to complain to if things don't work, you always have the source code to fix the problem.
Also, this forum is usually very good a helping to fix any problems.
Do remember that this software is on it's 4th major release.
On the whole, it is very solid and stable.
There is a large community of developers developing some very solid, professional modules out for generally a very reasonable cost.
One that comes to mind is DOCUMENT EXCHAGE PROFESSIONAL which is a great repository for documents and prevents any deep linking directly do documents.
It is build on ASP.Net and follows Microsoft's best practices. So once you follow a few simple rules, it is easy to add any custom coded modules to DNN.
I have a complete photofinishing store for example.
It is very scalable. Search this forum and you will see what mean.
My 2 cents
May 26, 2006 02:30 AM|DJDoug|LINK
I recently spoke in-depth to a core member about this very topic and my concerns on security for these types of applications. I am currently developing a site built on DNN that requires the same level of security auditing you would need for the "financial"
sites you mention. While DNN security is fine for community and membership sites, I can definitely say that the current DNN versions, out-of-the-box, would not pass the level of security audit you would require for handling sensitive information of that nature.
That said, DotNetNuke is a powerful framework and a good foundation for building applications, and can certainly be used for your apps with a few changes. Being Open Source with a liberal license, you can modify the code how you wish. There are some obvious
security vulnerabilities that a good .Net security guru can easily spot and fix. (Note: I myself am not laying claim to being that kind of guru, but I have access to a few.) I won't list the vulnerabilities we've found here so as not to publically draw attention
to them, but I will be sending a summary of suggested changes to the core once I finish my site. One very obvious change that I can suggest to you would be to use integrated Windows Authentication for SQL Server, rather than having a user id and password
in the connection string in web.config.
Many advise against core mods for upgrade reasons. However, I have been using DNN since its infancy and if you keep a good change log (side-by-side comparison of out-of-the-box code and code with your changes...there are many good tools that can do this
automatically), it's not terribly difficult to upgrade. From your post, since your company can afford MS CMS and SP, it certainly would benefit you to hire a .Net security expert to look at the core DNN code and recommend changes for the type of security
audit you would need to pass for handling sensitive info.
One Strong Recommendation... If you plan to use DNN to build your described applications, DO NOT use any third-party module (free or purchased),
I mean no offense to module developers for saying that... I have spent hundreds of dollars buying them from Snowcovered and there are some very good ones. However, without revealing publicly any exploits (intentional or accidental), I'll just say be very,
very careful using third-party modules and please follow the above advice. I'm sure others out there know what I am speaking of...
As for liability, if you use DNN, you will assume all liability for the platform. From the DNN license:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
So, you would have no one to sue if security was breached due to the platform.
Hopefully this was of some help to you. Have a great holiday weekend!