Web Frameworks, by automating the rigorous coding process, enable developers to quickly and efficiently build, run and manage web applications without having to worry about coding or unnecessarily spending time on detecting possible miscalculations and bugs.
These software tools come in three variations: the frontend or client-side, backend or server-side and cross-functional frameworks. The backend or server-side frameworks that consist of languages, tools, rules and architecture required to develop a web application and ensure that it has the requisite functionalities without which the application would not work properly including aspects like business logic, caching, web application security.
There is a widely held misconception that you can choose any web framework as long as the developer knows what he/she is doing and that the skills and knowledge level of the developer matters most in ensuring application security. We believe this is wrong. The framework choice matters greatly for web application security and therefore, we must exercise caution while making the choice. Let us discuss why.
Contents
Web Security Ranks High on The Priorities of Good developers
Good developers understand the criticality of web security and will always put it high up on their priorities list while developing good applications. While most good developers understand that trying to implement their own secure session handling is imprudent and impractical, quite a few of them fall into the trap of trying to implement their own protection against Cross-Site Request Forgery (CSRF), XSS, SQL injections, etc. which are detrimental to web application security. Good developers understand that implementation of CSRF protection or SQL injection filters is not their responsibility and that secure session implementation is the framework’s responsibility.
Vulnerable Frameworks and Languages = Vulnerable Web Application
Most of the popular frameworks and the languages have or have had some vulnerabilities. Despite this, there are certain frameworks that are known for their better security track record than others. Even though there is no perfect framework, it is the responsibility of developers to choose a framework with a better security track record and be cognizant of the framework-specific problems. Why?
Even if the developer builds an amazing application that is most secure, it will not matter if the framework or language is vulnerable as it will make your application vulnerable. For instance, if a framework is not able to secure your application and sensitive if the attacker used a different HTTP method or sent a special character in a cookie, then it is not your application’s fault but the framework’s. On the other hand, some frameworks are not known to face Remote File Inclusion (RFI) or code execution problems because they are extremely difficult, if not impossible, to introduce.
Frameworks with Functionalities That are ‘Secure by Default’
Yes, there are such frameworks which introduce this ‘secure by default’ angle to some of their functionalities which secure these functionalities from being exploited. As discussed earlier, it is extremely difficult to exploit these functions. However, developers may go out of their way to introduce vulnerabilities by meddling with these ‘secure by default’ features and functions or find ways to work around these. In such a case, there is nothing even the best frameworks can do for web application security!
Frameworks with Inbuilt Security Features
First off, it is just as imprudent and futile for developers to roll their own CSRF protection, XSS protection library, SQL injection filters, etc. as trying to roll their own crypto. Any good penetration tester or experienced security professional with experience and expertise in website security checks, security audits and pen-tests will vouch for this!
So, evaluate your framework based on the availability of the following inbuilt security features.
- Secure session implementation
- Secure authentication mechanism
- Secure storage options
- Parameterized SQL Queries: Are they supported?
- Ways to avoid email header injections and new line injections
- Ways to prevent XSS vulnerabilities
- Secure way to execute OS commands to prevent injections
- Option to whitelist inputs
- Path normalization functions
Even if all these inbuilt features are not provided by the framework, choose a framework that provides a majority of these.
Frameworks with Clear and Thorough Documentation
It is important to choose frameworks that have clear and thorough documentation as it directly has an impact not only on your time and hassle costs but also application security. This is because terrible, unclear or confusing documentation makes it difficult for developers to understand and identify gaps and vulnerabilities present or if security and errors checks have been included or if the code snippets are secure.
Framework and The Time, Money and Hassle Costs for Secure Applications
It does happen that developers compromise security while developing web applications because it is costly, time-consuming and full of hassles. When frameworks, for instance, provide the requisite security through its good security track record, thorough documentation, in-built security features and ‘secure by default’ functionalities, it reduces the time, money and hassle costs of building secure applications.
But despite making the best choices and selecting very popular and secure frameworks, a security issue in the framework amplifies the problem and makes all the applications built on that framework vulnerable. The Apache Struts framework vulnerability should still be fresh in everyone’s mind.  So, it is also highly recommended to have a defense mechanism in the form of Managed WAF such as the one provided by AppTrana. This way you can react to such zero-day vulnerability quickly while the entire application stack built on a vulnerable framework is patched and fixed.
Even novice developers can then build secure applications without having to be security experts. And security experts like AppTrana can secure your applications from known and unknown vulnerabilities.
In conclusion, we would like to insist that framework choice matters in web application security!
About The Author:
This post has been contributed by Venkatesh Sundar, Founder, CMO at Indusface, creators of AppTrana.
Comments are closed, but trackbacks and pingbacks are open.