Modern software development can be, IMHO, summarized into utilization of various frameworks. Gone are the days when we had none and had to reinvent the wheel on pr. project basis. From my humble beginnings in the software industry I have seen that various frameworks has taken greater impact on my day-to-day programming style. Instead of having to write quirky SQL I can now use a ORM instead. Instead of manually handling sockets I can now rely on various already built-in functions. Thanks to the .Net-, PHP- and Java frameworks my life has become wondrously easy! I can leave my brain alone home.
And that thing about the brain being home alone hit me this week. This week I had to go our regional office overseas to show some presentations on security in development projects. After my first segment, in the break, I got the opportunity to ask one of the developers what he thought about the presentation. The developer said: “I don’t see why we must focus so much on security. Shouldn’t the framework take care of that?” A shiver went through my bones and I had to make my later presentation even clearer on this topic.
Yes – in an ideal world the framework would take care of the security for you. And, yes, it may do a great job at it. On its own. The problems begin to pile up when you start using the framework not knowing its constraints and limits. Or stray into the gray areas it wasn’t designed to handle. And that IS hard to master! It takes years to get a complete overview of your chosen frameworks. First you have to dive into what it can offer – that takes some time. Then you must dive into how it should be used. The third thing is .. the framework is basically a black box. You don’t really know what happens under the hood – do you?
I do not mean to be grumpy or anything like that. Frameworks are great if you know how to use them properly. Keep in mind – the frameworks are just a dumb black box not knowing the various shades of gray.