Use a security framework or finger-nail?

6

I've had this doubt for some time now and I'm not so firm in a position even though I've taken one.

Whenever I develop or participate in the development of an application (WEB), we usually deal with finger-and-nail security, that is, we deal with all processes related to security, from sessions to encryption of passwords, etc. .

I remember hearing someone one day saying that you do not do this nowadays that it is better to always use a Framework (Spring, Apache Shiro, etc.).

What is your suggestion?

    
asked by Cold 15.09.2014 в 16:46

2 answers

6

Security is very difficult to do properly. The chances of you making a mistake are enormous. And especially if you have little knowledge of the subject, you should consider not knowing what to do, not just doing .

For example, when I first started working with Django I had never heard of CSRF . I only noticed that when using the framework, none of my POST requests via Ajax worked, and I did not understand why. I discovered afterwards that I had or to implement a boring stub, or disable the protection against CSRF in the settings. As I was still learning, I disabled it, leaving to see what was going on in the project (before it went into production, of course).

When I finally figured out what this attack was about (at the time, my jaw dropped, I had never imagined anything like this - which showed how limited my browser authentication knowledge was), I learned how to protect against it - and I saw how complicated it was ... Luckily, the key measures were right there in front of me, implemented by my framework, I just had to follow their instructions to use it. Reading more on the subject, I realized how in fact those measures were as effective as they were (without needing to "invent" anything else).

What would have been the result if I had tried to do everything by hand? Probably not very good, and this assuming I already knew well what needed to be done. But I did not even know the attack existed, much less that it was my responsibility to protect me from it. And unfortunately, this is what I have observed many times out there:

  • People using MD5 to havehear passwords;
    • Or worse, saving them in plain text!
  • "Security questions" being misused;
  • Ineffective methods of resetting a forgotten password;
  • Ad hoc attempts to secure communication without the use of SSL / TLS;
  • etc.

Each time someone tries to reinvent these wheels, something always ends up going wrong. And the worst: many times who develops or perceives that they are wrong. When a ready-made solution is rejected, of course, there's always a chance it's a bad solution, I'm not denying it. But the chance is much greater that it is more effective than what you intended to do by hand.

In conclusion, my recommendation is to always consider using what is already ready before attempting to do something yourself. If you know full well what you want, and your framework does exactly what you want, use it! Just implement something by hand when that is substantially different from what you are looking for, or perhaps when you seek something that goes beyond than what is offered to you ends up being really necessary, speaking from experience ...).

    
15.09.2014 в 17:14
2

@ColdHack,

I believe that using a framework for security is the best choice. Because the frameworks are developed by a larger team, with a larger community, where bugs are mostly discovered and reported. Reducing your failures in a very significant way. While nail safety will only be tested by your team, a security breach can be discovered by someone who does not report it to you.

This is my opinion, I am no security expert, but from what I have lived to this day, that's it.

I hope I have helped.

    
15.09.2014 в 17:08