Modern software development can be, IMHO, summarized into utilization of various frameworks. Gone are the days when we had none and had to reinvent the wheel on pr. project basis. From my humble beginnings in the software industry I have seen that various frameworks has taken greater impact on my day-to-day programming style. Instead of having to write quirky SQL I can now use a ORM instead. Instead of manually handling sockets I can now rely on various already built-in functions. Thanks to the .Net-, PHP- and Java frameworks my life has become wondrously easy! I can leave my brain alone home.

And that thing about the brain being home alone hit me this week. This week I had to go our regional office overseas to show some presentations on security in development projects. After my first segment, in the break, I got the opportunity to ask one of the developers what he thought about the presentation. The developer said: “I don’t see why we must focus so much on security. Shouldn’t the framework take care of that?”  A shiver went through my bones and I had to make my later presentation even clearer on this topic.

Yes – in an ideal world the framework would take care of the security for you. And, yes, it may do a great job at it. On its own. The problems begin to pile up when you start using the framework not knowing its constraints and limits. Or stray into the gray areas it wasn’t designed to handle. And that IS hard to master! It takes years to get a complete overview of your chosen frameworks. First you have to dive into what it can offer – that takes some time. Then you must dive into how it should be used. The third thing is .. the framework is basically a black box. You don’t really know what happens under the hood – do you?

Having these three steps in mind – mostly covering step 1 and 2 – you embark on your software development adventure. You begin to design the logic on top of the framework – your business logic. Writing tests for various input cases and whatnot. You start to feel confident that your work is great! The go live date occurs and everything seems dandy. Except that the users started using your web application and found that you missed basic tests for file upload, that it was a mismatch between the Javascript evaluation and the back-end evaluation. And that you could bypass the file upload security tests by posting to the form directly. So – how on earth can the framework alone save you?

This was a bit pessimistic from my side. But nonetheless, it happens a lot these days. Almost everyday I face a new framework. Mostly Javascript. Great. You applied it to your site and you use .NET at the back-end. What about your tailor-made business logic that sits between them? Putting on another framework – instead of doing the only proper thing? Which would be to do follow best practices and apply secure coding.

I do not mean to be grumpy or anything like that. Frameworks are great if you know how to use them properly. Keep in mind – the frameworks are just a dumb black box not knowing the various shades of gray.

Advertisements