"You could write a book about the things that Dad doesn't understand. And they have. Lots of them"
-Remy, "Ratatouille"
There is a long list of things I don't understand. One of the more vexing items is otherwise wicked smaht developers doing exhaustive comparisons of web frameworks without including any security mechanisms whatsoever.
I blogged about Tim Bray's comparison of PHP, Rails, and Java frameworks for the web which included developer-friendly comparisons of Scaling, Dev Speed, Dev Tools, and Maintainability, but nothing about security - Doctor It Hurts When I Do That. This was 2 years ago.
Now another smart guy James Strachan has published detailed comparisons on Java web frameworks without once mentioning security.
At least I got Steve Vinsoki to put in a caveat.
I am not tracking guys - its WEB SOFTWARE. It doesn't run in some benign environment - it runs onthe most hostile system that we know - here is a list of 245 million people who agree with me. For example, REST is a much simpler framework to think about programming, until you add in authentication and then as Don Box says the story starts to blow chunks. I am all for architectural purity and all, but can we at least factor authN, authZ, audit logging and (can I dream for a second?) defensive programming into the designs we compare, contrast and program? Until then, I really don't see how we can consider this stuff web ready.
Many frameworks do have *some* security features. Usually related to cross-site-scripting, or such.
What is the list of features you think could be included in web frameworks?
Posted by: Dave Tauzell | January 27, 2009 at 01:45 PM
Dave - exactly. they all have *some*, all I am saying is factor those into the comparison. In Tim Bray's example, the differences between the security stories in PHP, Rails, and Java are vast.
As for the list, you'll have to wait for a future post..
Posted by: Gunnar Peterson | January 27, 2009 at 01:50 PM
For most people functionality comes first and security is a distant second at best: http://hype-free.blogspot.com/2008/12/security-is-not-on-most-peoples-mind.html
It is still a long way to go where people will associate any kind of benefit with security.
Posted by: Cd-MaN | January 28, 2009 at 02:18 AM
I eventually came to the realisation that security is never ever done first and properly by *successful* companies. So there has to be an economic reason for this.
I tried to find a reason in the GP rants over on my blog (click on Iang/GP link). In short, security is too expensive in the early days when the priority is to prove the business model; the economics dictate that the system has to go into production without security, which means we must then build it on afterwards. Economically, anything that has security in from the beginning is to inflexible to migrate fast enough to find its business model, and the business model questions totally dominate the security questions.
If true, this does rather raise a number of questions .... I think it is a real question we should be asking as to whether we can even think about establishing security up-front, or, as you intimate, as a necessary part of a framework?
Posted by: Iang (GP rants) | January 28, 2009 at 06:59 AM