torsdag 2 april 2009

Frameworks and Security

Sista passet för dagen var så kallade break-out sessions där vi satt i små grupper och diskuterade. Jag valde gruppen som diskuterade säkerhet och ramverk för utveckling av webbapplikationer. Ett trevligt gäng slog sig ner.

Mina slarvigt sammansatta minnesanteckningar (ej översatta eftersom jag redan är sen till middagen):

Frameworks and Security

Good thing with frameworks?: Declarative
(external files)
Good thing with frameworks?: Decorative (annotations)

Frameworks introduce new levels of abstraction which hide details that are sometimes needed, such as generated XML, SOAP, or hash values. But do we always need to look at details? Do you for instance look at the assembler code generated by your compiler? No, but new technologies rarely work so until things have matured you need to be able to dig into details to debug efficiently.

Security of frameworks themselves is also interesting.
For instance parsing of input that leads to automatic creation of objects. Convenient at first but ...

Help the developers: You want secure stuff to be easy and insecure stuff to be hard.

Crucial for choice of frameworks:

- legacy in projects

- what do we know already?

- support for good (unit) testing

- culture

- it does the job

Google doesn't use many frameworks, at least not many open frameworks. Developers at Omegapoint are also fairly reluctant to using too many or too heavy frameworks.

Make the framework binaries different in different installations? To avoid mono cultures.

Rails is infinitely better than php so there is progress even though frameworks are rarely targeted at security.

Developers are artists and don't like to be forced into tight structures. So a choice of a framework can lead to arguments and lower productivity.

Inga kommentarer: