No security issues

[yellowled]

As far as I know, there has not been a security issue in PW since I have been using it (which means since 2.2). By that I mean there has never been a “OMG, big issue, everyone upgrade to the new version of PW ASAP!!11” situation. Knowing other CMS out there, that's pretty amazing.

1. Is this true? Has there never been a security issue (which the public would've known about)?
2. If so, why is this? Is it because of the way PW is developed or something?

The reason I'm asking this is that I realized I don't know the answer myself, and of course, this does come up in talking to clients. Also, I will be giving a presentation on PW at a German web conference soon, so a definite answer to this might be nice.

[kongondo]

Something to get you started:

http://processwire.com/talk/topic/1932-security-sql-injections/?p=18127

http://processwire.com/talk/topic/4426-pushing-pw-in-web-design-agencies/

And more....  

http://bit.ly/1fxHHux 

Good luck with your talk! I know you'll do PW proud!

[Soma]

The security issue in PW would Be The devloper.

[pwired]

this does come up in talking to clients. Also, I will be giving a presentation on PW at a German web conference

Why don't you fire some penetration tests at pw and see for your self. There are plenty of them on the net.

That will give you something to talk about with your clients and at the conference.

[apeisa]

Of course there can be security issues on pw. And since it is full framework instead of just sandbox for simple sites, developer can create bunch of holes themselves.

But so far there has been zero vulnerabilities found from pw or pw admin. Of course it doesn't have millions of eyes watching like more popular frameworks out there. But all the most common web security pitfalls are very well taken care of in pw. Things like session capturing, brute force login, crsf protection, password encryption, sql injections... no software is 100% safe, but what comes to processwire, I know that we have pretty darn great foundation.