« Threats in the Age of Obama | Main | Why Start Now? »


Dave Tauzell

Many frameworks do have *some* security features. Usually related to cross-site-scripting, or such.

What is the list of features you think could be included in web frameworks?

Gunnar Peterson

Dave - exactly. they all have *some*, all I am saying is factor those into the comparison. In Tim Bray's example, the differences between the security stories in PHP, Rails, and Java are vast.

As for the list, you'll have to wait for a future post..


For most people functionality comes first and security is a distant second at best: http://hype-free.blogspot.com/2008/12/security-is-not-on-most-peoples-mind.html

It is still a long way to go where people will associate any kind of benefit with security.

Iang (GP rants)

I eventually came to the realisation that security is never ever done first and properly by *successful* companies. So there has to be an economic reason for this.

I tried to find a reason in the GP rants over on my blog (click on Iang/GP link). In short, security is too expensive in the early days when the priority is to prove the business model; the economics dictate that the system has to go into production without security, which means we must then build it on afterwards. Economically, anything that has security in from the beginning is to inflexible to migrate fast enough to find its business model, and the business model questions totally dominate the security questions.

If true, this does rather raise a number of questions .... I think it is a real question we should be asking as to whether we can even think about establishing security up-front, or, as you intimate, as a necessary part of a framework?

The comments to this entry are closed.