What are the security pros and cons of using a Framework vs. CMS vs. Custom Built?


I’m up in the air in terms of going the route of a Framework, a CMS, or a custom built solution. I can use each route and accomplish the goal, though I want to make sure that it’s secure.

Here’s what my understanding is:
Custom Built Solution Pros:

  • Custom code, not publically known as to how the system is built
  • If you know how to build something secure, you can keep up to date and fix on the fly

Custom Built Solution Cons:

  • If you don’t know how to build something secure, you’re probably going to have some vulnerabilities

Framework Built Solution Pros:

  • The framework could have methods/functions that do common things, of which where these methods/functions would be built securely
  • The framework, if a vulnerability was found, could be updated promptly by the community

Custom Built Solution Cons:

  • The framework code is publically known
  • If you don’t know how to build something secure, you’re probably still going to have some vulnerabilities

And I believe the CMS and Framework pros/cons are quite simmilar. Am I on track with this? Is what I am saying completely wrong? Please help me out!


And I hope you remembered to handle multibyte strings everywhere, and made some really good design decisions - or never let anybody work on that code.

Just look at CodeIgniter - the ‘Form helpers’ library (which is a ‘core’ component) has stagnated like the rest of it and is still full of XSS holes. You can’t generalize, there are hundreds of ‘frameworks’ ranging from utter crap to nearing zen-like perfection.

The more people actively using it usually contributes to more secure code, to the extent that I’d prefer a framework with a thousand developers using it professionally than a one-man job.

I know this is a dated thread, but Harry, I’ve written a good thing explaining why NOT to use Frameworks, http://blog.8thstudio.com/?p=51

Of course, it depends on the person and their beliefs, but in the long run, Frameworks will bottle neck and well become unsupported by their developers.

aalicki - while your argument is valid - I think it does not address web application security too well.
Security is difficult, getting it right is difficult, keeping up to date with all new attack vectors is difficult and expensive.

There are benefits of not using frameworks and there are benefits to do so.

The odds are that if I invent framework of my own (be it oop or procedural - it does not matter), I will not get things like data validation/sanitation right.

The good part is that there is benefit (although you should not rely on that) of security by obscurity, the bad part, well you are on your own to figure out where the vulnerabilities are and how they are being exploited.

Securosis has rather good article series.