Comments on: Secure Code Through Frameworks http://www.gnucitizen.org/blog/secure-code-through-frameworks/ Information Security Think Tank Sun, 23 Nov 2008 13:30:07 +0000 http://wordpress.org/?v=2.6.3 By: deadonarrival http://www.gnucitizen.org/blog/secure-code-through-frameworks/#comment-1463 deadonarrival Sun, 24 Dec 2006 17:46:26 +0000 http://www.gnucitizen.org/blog/secure-code-through-frameworks#comment-1463 Yes, we need more security baked into the frameworks. But the by far biggest contribution will come through: * Education - developers need to learn how to create secure software. Universities etc. need to focus much more on security * Software customers - budget for security and demand secure products. Yes, we need more security baked into the frameworks. But the by far biggest contribution will come through:
* Education - developers need to learn how to create secure software. Universities etc. need to focus much more on security
* Software customers - budget for security and demand secure products.

]]> By: pdp http://www.gnucitizen.org/blog/secure-code-through-frameworks/#comment-1424 pdp Sat, 23 Dec 2006 07:15:29 +0000 http://www.gnucitizen.org/blog/secure-code-through-frameworks#comment-1424 kl, well yes but it is essential to understand that such an approach is not very flexible and you need to be very specific with the specs at a very early stage. Moreover, if you are planning to extend upon your application in the future you need design a schema/method for achieving this task. This is extremely long and time consuming process which not that many applications undertake. Not today. Not even in the future. In the open source world everything is pretty much build upon quick hacks that are glued together with some code. PHP applications are trivial to extend with .htaccess and mod_rewrite for example. IMHO, PHP is the most agile language for web development currently available. There is nothing else that gives you so much power in such a tiny core. I agree that applications need to be very specific in what they take as input and what they output but again this is a matter of finding the balance between accessibility and security. Usually we prefer accessibility over security because it works better in the long term. kl, well yes but it is essential to understand that such an approach is not very flexible and you need to be very specific with the specs at a very early stage. Moreover, if you are planning to extend upon your application in the future you need design a schema/method for achieving this task. This is extremely long and time consuming process which not that many applications undertake. Not today. Not even in the future.

In the open source world everything is pretty much build upon quick hacks that are glued together with some code. PHP applications are trivial to extend with .htaccess and mod_rewrite for example. IMHO, PHP is the most agile language for web development currently available. There is nothing else that gives you so much power in such a tiny core.

I agree that applications need to be very specific in what they take as input and what they output but again this is a matter of finding the balance between accessibility and security. Usually we prefer accessibility over security because it works better in the long term.

]]> By: kl http://www.gnucitizen.org/blog/secure-code-through-frameworks/#comment-1408 kl Fri, 22 Dec 2006 22:31:38 +0000 http://www.gnucitizen.org/blog/secure-code-through-frameworks#comment-1408 True, true. I think the biggest problem are environments where code is created from bits of text. The article praises ASP.Net for detection of HTML injection. I'm not familiar with this feature, but its description sounds to me like a patch on poor architecture (like PHP's magic quotes), rather than solid long-term solution. If it used templates that aren't just bunch of echoed bytes, but really a tree of HTML/XML elements (where it's explict when application outputs tag, attribute or text - preventing you from creating ill-formed HTML/XML), programmer would have to work hard just to make XSS possible. True, true. I think the biggest problem are environments where code is created from bits of text.
The article praises ASP.Net for detection of HTML injection. I’m not familiar with this feature, but its description sounds to me like a patch on poor architecture (like PHP’s magic quotes), rather than solid long-term solution.

If it used templates that aren’t just bunch of echoed bytes, but really a tree of HTML/XML elements (where it’s explict when application outputs tag, attribute or text - preventing you from creating ill-formed HTML/XML), programmer would have to work hard just to make XSS possible.

]]>