I'm in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about developer's views about technical and process related questions.
It would be great if you could take a couple
of minutes and think about the questions below. The questions are
mostly open-ended. Elaborate and skip questions at will. They may not be relevant to all of you but I chose to be rather inclusive than to only ask the project lead.
Thank you very much in advance. If you want me to I will provide you with the results of my research when it's done.
P.S.: I'm posting this in the english forum since I don't want to annoy the non-english community. It would probably be better if I could also reach the rest of the redaxo community (which seems to speak german). The questionnaire should be in English since my thesis and all the questionnaires are too. I wouldn't mind if someone would cross-post the questionnaire to the german speaking part if you all deem it ok.
Thanks all,
Florian
The questions:
Note: you means the project (Redaxo), not you personally!
About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
application?
- Do you have a specific layers for input/output validation/filtering?
(If applicable) What does the input/output layer do (respectively)?
How? Are you using external libraries? Why? Why not? (for HTML
sanitation. object-relational mappers, database abstractions with
prepared statements)?
- (If applicable) What responsibilities do the input/output layers
have, respectively?
- How do you ensure that all input passed through validation/
filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
components? Is there a defined API?
- Which other external libraries do you use?
About the development process:
- Is there public documentation about the responsibilities of the
input/output layers?
- Is there public documentation about *when* input/output validation/
filtering should happen? (Like: "output filtering must always happen
in the method that renders the data")
- Do you have automatic tests for the whole system?
Bonus question:
- Do you do manual code review?
