SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Dec 2006
    Posts
    134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question What are the security pros and cons of using a Framework vs. CMS vs. Custom Built?

    Hello,

    I'm up in the air in terms of going the route of a Framework, a CMS, or a custom built solution. I can use each route and accomplish the goal, though I want to make sure that it's secure.

    Here's what my understanding is:
    Custom Built Solution Pros:
    - Custom code, not publically known as to how the system is built
    - If you know how to build something secure, you can keep up to date and fix on the fly

    Custom Built Solution Cons:
    - If you don't know how to build something secure, you're probably going to have some vulnerabilities

    Framework Built Solution Pros:
    - The framework could have methods/functions that do common things, of which where these methods/functions would be built securely
    - The framework, if a vulnerability was found, could be updated promptly by the community

    Custom Built Solution Cons:
    - The framework code is publically known
    - If you don't know how to build something secure, you're probably still going to have some vulnerabilities

    And I believe the CMS and Framework pros/cons are quite simmilar. Am I on track with this? Is what I am saying completely wrong? Please help me out!

    Thanks,
    Nathaniel

  2. #2
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by NathanielB View Post
    Custom Built Solution Pros:
    - Custom code, not publically known as to how the system is built
    - If you know how to build something secure, you can keep up to date and fix on the fly
    And I hope you remembered to handle multibyte strings everywhere, and made some really good design decisions - or never let anybody work on that code.

    Quote Originally Posted by NathanielB View Post
    Framework Built Solution Pros:
    - The framework could have methods/functions that do common things, of which where these methods/functions would be built securely
    - The framework, if a vulnerability was found, could be updated promptly by the community
    Just look at CodeIgniter - the 'Form helpers' library (which is a 'core' component) has stagnated like the rest of it and is still full of XSS holes. You can't generalize, there are hundreds of 'frameworks' ranging from utter crap to nearing zen-like perfection.

    Quote Originally Posted by NathanielB View Post
    Custom Built Solution Cons:
    - The framework code is publically known
    The more people actively using it usually contributes to more secure code, to the extent that I'd prefer a framework with a thousand developers using it professionally than a one-man job.

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2009
    Location
    Greenville, South Carolina, United States
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know this is a dated thread, but Harry, I've written a good thing explaining why NOT to use Frameworks, http://blog.8thstudio.com/?p=51

    Of course, it depends on the person and their beliefs, but in the long run, Frameworks will bottle neck and well become unsupported by their developers.
    Phase 8 Facebook Applications and Web Development

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    aalicki - while your argument is valid - I think it does not address web application security too well.
    Security is difficult, getting it right is difficult, keeping up to date with all new attack vectors is difficult and expensive.

    There are benefits of not using frameworks and there are benefits to do so.

    The odds are that if I invent framework of my own (be it oop or procedural - it does not matter), I will not get things like data validation/sanitation right.

    The good part is that there is benefit (although you should not rely on that) of security by obscurity, the bad part, well you are on your own to figure out where the vulnerabilities are and how they are being exploited.

    Securosis has rather good article series.
    http://securosis.com/blog/comments/w...are-different/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •