Hello habari developers,
I'm in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about your fine project from the developer's point of view.
It would be great if you could take a couple
of minutes and think about the questions below. The questions are
mostly open-ended. Elaborate and skip questions at will. I'm sure
these questions
are not relevant for everybody on this list but I would like to be
rather inclusive and not only
address the project lead. I also know that part of these questions can
be answered by looking at your web page but I'd like to see the
developer's view and also uncover discrepancies which might be
present.
Thank you very much in advance. I will provide you with a link to the
results of my thesis when it's done.
Florian
The questions:
About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
application?
- Do you have a specific layers for input/output validation/filtering?
(If applicable) What does the input/output layer do (respectively)?
How? Are you using external libraries? Why? Why not? (for HTML
sanitation. object-relational mappers, database abstractions with
prepared statements)?
- (If applicable) What responsibilities do the input/output layers
have, respectively?
- How do you ensure that all input passed through validation/
filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
components? Is there a defined API?
- Which other external libraries do you use?
About the development process:
- Is there public documentation about the responsibilities of the
input/output layers?
- Is there public documentation about *when* input/output validation/
filtering should happen? (Like: "output filtering must always happen
in the method that renders the data")
- Do you have automatic tests for the whole system?
Bonus question:
- Do you do manual code review?
The questions:
About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
application?
- Do you have a specific layers for input/output validation/filtering?
(If applicable) What does the input/output layer do (respectively)?
How? Are you using external libraries? Why? Why not? (for HTML
sanitation. object-relational mappers, database abstractions with
prepared statements)?
- (If applicable) What responsibilities do the input/output layers
have, respectively?
- How do you ensure that all input passed through validation/
filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
components? Is there a defined API?
- Which other external libraries do you use?
About the development process:
- Is there public documentation about the responsibilities of the
input/output layers?
- Is there public documentation about *when* input/output validation/
filtering should happen? (Like: "output filtering must always happen
in the method that renders the data")
- Do you have automatic tests for the whole system?
Bonus question:
- Do you do manual code review?
Was this supposed to be about our own projects, or just Habari?
In case it was unclear to others besides me, Habari doesn't use Cake.
Owen
You're 15 days late.
S
We should switch to Cake!
America/Montreal
for you purists.
S
+1. With a fork.
Thanks,
Joey Brooks
Milk Carton Designs || milkcartondesigns.com