6
I have had this doubt for some time and to this day I am not so firm in a position, despite having taken a.
Whenever I develop, or participate in the development of an application (WEB), we usually handle the security hand-in-hand, ie, we handle all processes related to security, sessions until encryption of passwords, etc.
I remember hearing someone one day say that it is no longer done nowadays that it is better to always use a Framework (Spring, Apache Shiro, etc).
What is your suggestion?
6
Security is something very difficult to do it properly. The chances of you making a mistake are enormous. And especially if you have little knowledge on the subject, there is the possibility that you do not know very well what do, not only as do.
By way of example, when I started working with Django I had never heard of CSRF. I just noticed that when using the framework, none of my POST requests via Ajax worked, and I didn’t understand why. I found out later that I had either to implement a boring section, or disable CSRF protection in the settings. As I was still learning, I disabled it, leaving to see what was ahead in the project (before it went into production, of course).
When I finally found out what this attack was about (at the time, my chin fell off, because I had never imagined anything like this - which showed how my knowledge of browser authentication was limited), I went to learn the ways to protect myself against it - and I saw how complicated the situation was... Luckily, the main measures were right there in front of me, implemented by my framework, I just had to follow your instructions to use it. Reading more on the subject, I realized how in fact those measures were effective as they were (without me having to "invent" anything else).
What would have been the result if I had tried to do everything by hand? Probably not very good, and that’s assuming I already knew well what I needed to do. But I didn’t even know that the attack existed, much less that it was my responsibility to protect myself from it. And unfortunately, that’s what I’ve observed many times around:
Every time someone tries to reinvent these wheels, something always ends up going wrong. And the worst: often those who develop do not even realize that they are wrong. When you reuse a ready-made solution, of course, there’s always the chance that it’s a bad solution, I’m not denying that. But the chance is much greater that it will be more effective than what you intended to do by hand.
So in conclusion, my recommendation is to always consider using what is already ready before trying to do something yourself. If you know what you want, and your framework does exactly what you want, use it! Only implement something by hand when it is substantially different of what you seek, or maybe when you seek something that will hereafter than what is offered to you (and often it ends up being even necessary, speaking from experience...).
1
@Coldhack,
I believe that using a framework for security is the best choice. Because frameworks are developed by a larger team, with a larger community, where bugs are mostly discovered and reported. Reducing your failures in a very significant way. While the security developed in the nail will be tested only by your team, a security breach can be discovered by someone malicious who does not report it to you.
That’s my opinion, I’m no security expert, but from what I’ve lived to this day, that’s it.
I hope I’ve helped.
Thank you for the @Rubico reply. By contrast, I see that frameworks are usually known to a lot of people, and studying the list of bugs in them only facilitates the attack process. However you are right, because a larger and specialized team knows better and has better techniques.
Browser other questions tagged security-guard framework
You are not signed in. Login or sign up in order to post.
Okay @mgibonbr. According to this question: http://answall.com/questions/32533/algoritimo-contrabrute-force/32577?noredirect=1#comment61825_32577 now I ask: It is flexible how frameworks deal with this issue or we will always have to do it ourselves?
– Cold
That depends on what the framework has to offer... As I mentioned in the last paragraph, there are situations in which what you want goes beyond what is offered, in which case all that remains is to seek an external solution (e.g., a library) or to implement yourself. I don’t know many frameworks, but I know that Django doesn’t offer any of that (you need to use something like Django-axes or Django-ratelimit, from third parties). Others may have native resources for this.
– mgibsonbr