Are secure web frameworks reducing long term security?
Mon 12th June 12
Are secure web frameworks a step backwards for security? I started thinking about this when I looked at web2py for a project I'm starting. One of its big claims (see their Security section) is that it implements a whole host of features to protect the application against common security vulnerabilities including XSS and SQLi. My first reaction to this was split, partly that if this does everything it claims everyone should be using it and it will put some pen-testers out of a job [1], but second, if someone finds a vulnerability in the framework then everyone is in trouble.
So why am I suggesting this could be a step backwards? A bit of history will help with this....
When people first started developing web apps most people didn't know or care about security. SQLi, XSS and all sorts of other problems were widespread but no one knew how to attack them so everything was good. Attackers then started to understand the new attack vectors and started attacking sites. Some developers, but by no means all, also started to understand the attacks and started to write defensively to protect their applications. Since then there has been a to and fro of new attacks generating new defences and vise-versa, things are never fully secure but there there is a good general awareness of security in the development community [2].
So back to the new frameworks. If you look at the claims made by web2py - and I'm only mentioning them because I've seen them recently, I include all other secure frameworks in this group - developers no longer need to worry about defending their apps against the basic attacks as the frameworks will do the defence for them. What worries me is that as new developers come into the industry using these frameworks they will not need to know anything about SQLi or XSS as the frameworks will be seen to be doing the work for them. They will grow up in the same way as the original developers did, blissfully unaware about the security risks around them.
With training budgets always under pressure to be cut, secure coding training will be dropped as it will no longer be seen as required, why train someone to defend when they don't need to?
I know I'm massively generalising here but I think the point is valid, take someone who has grown up developing in a secure framework out of that framework and ask them to develop an app from scratch and I bet what they create will be as full of holes as the original apps were.
So do I think we should get rid of these frameworks and make everyone create their own defences? No, the frameworks do add a huge amount to the security of applications and that is definitely to be welcomed, but, I do think that we should also try to ensure developers are still trained to write defensive code on top of them. Defence in depth is a very useful thing, if the worst were to happen and someone did find a vulnerability in the protections offered by the frameworks then someone who had built their own defences on top would hopefully be at a much lower risk than those who purely relied on the framework.
[1] The bad ones who just run automated scanners, not the good ones who actually test the application.
[2] This is debatable but I do think developers are getting better.