Hi all,
First of all love Anvil, and love all the new updates announced! I am currently running a small start up, and are using anvil to undertake usability analysis.
However, we will be soon deciding whether to stay with Anvil, or move our production to django. The only reason we’d do this is cyber security concerns - django has infinitely more documentation of cyber security.
Though we would like to stay with Anvil, our concern is not knowing whats in the “black box” as it were. Any documentation / insights would be very appreciated to cover anvil’s approach to security (including addressing weaknesses in versions of bootstrap, jquery) to allow us to use anvil going forward. Including information on the open source server would be much appreciated as well.
2 Likes
I have been using Anvil for production for about a year, so far no incidents.
But I would love to see more info about the matter as well.
Not too sure if pen test is done by any community members.
Having said that, after using Anvil, I never use any other framework since it really reduce x10 dev time
2 Likes
Hi @v.v.avudainayagam - glad you’re enjoying Anvil!
First, I want to say that Anvil isn’t a black box! The runtime system used by both the App Server and our hosted service is on GitHub for anyone to audit.
We’ve had some customers commission their own private penetration tests – so far, no major vulnerabilities found (although nobody’s code is perfect, and we are always grateful for reports at security@anvil.works). Some fairly large companies including Vodafone, Baker Tilly, and others – including quite a few we can’t mention – trust Anvil’s security.
Speaking more generally, Anvil’s model is significantly more secure than traditional web frameworks. The OWASP Top Ten vulnerability list is dominated by injections and confusions that are inherent to layering HTML+JS+CSS, REST APIs, and so on. Because you’re using a Python UI toolkit, you have to work quite hard to introduce an XSS vulnerability into an Anvil app. Even if you do use HTTP endpoints, Anvil automatically defends against attacks like CSRF. And, of course, all the pitfalls of hand-rolled authentication can be avoided with the out-of-the-box Users Service. (And the pitfalls of hand-rolled encryption with the Secrets Service, and so on.)
There are some fun results indicating that the number of bugs is roughly proportional to the number of lines of code in your project – which means that, by making your web apps easier to build, Anvil automatically makes them more secure.
In short, Anvil is production-ready, trusted by the big boys, and engineered to substantially reduce the risk of creating security vulnerabilities in your own apps.
16 Likes
Awesome, thank you meredydd for the fantastic answer!
Thanks so much for the details.