Hello drupal developers, I'm in the process of writing my diploma thesis on the prevention of web application security vulnerabilities and I'd like to know a bit about your fine project from the developer's view. It would be great if you could take a couple of minutes and think about the questions below. The questions are mostly open-ended. Not all may apply to all developers, but I've chosen to not only address project leads. Elaborate and skip questions at will. Thank you very much in advance. I will provide you with the results of my thesis when it's done it you want. There will probably be some findings about what can be done to prevent security vulnerabilities, in particular XSS and SQL injections in open source web applications. Florian The questions: About technical aspects: - Are you using a web application framework? Which one? - Do you use explicit data modeling for all business objects in the application? - Do you have a specific layers for input/output validation/filtering? (If applicable) What does the input/output layer do (respectively)? How? Are you using external libraries? Why? Why not? (for HTML sanitation. object-relational mappers, database abstractions with prepared statements)? - (If applicable) What responsibilities do the input/output layers have, respectively? - How do you ensure that all input passed through validation/ filtering? Do you have an API that must be used? - Do you provide services to independently developed modules/ components? Is there a defined API? - Which other external libraries do you use? About the development process: - Is there public documentation about the responsibilities of the input/output layers? - Is there public documentation about *when* input/output validation/ filtering should happen? (Like: "output filtering must always happen in the method that renders the data") - Do you have automatic tests for the whole system? Bonus question: - Do you do manual code review?
On 31-Mar-09, at 8:53 AM, Florian Thiel wrote:
I'm in the process of writing my diploma thesis on the prevention of web application security vulnerabilities and I'd like to know a bit about your fine project from the developer's view.
Most of these questions can easily be answered between api.drupal.org, http://drupal.org/handbooks , http://drupal.org/writing-secure-code, and inspecting the Drupal source. If you want to see where the project is going, versus where the code is today in the stable release, focus your search on Drupal 7 (HEAD in CVS). Good luck! --Andrew
Florian I am copying the security team as well in case someone there is interested in getting in touch with you. This page http://drupal.org/security-team and the pages under it (linked at the bottom) will also provide you with some more information about the security process within Drupal. And on this page you will find the security advisories, broken into core/contrib/public service announcements http://drupal.org/security On Tue, Mar 31, 2009 at 8:53 AM,
Hello drupal developers,
I'm in the process of writing my diploma thesis on the prevention of web application security vulnerabilities and I'd like to know a bit about your fine project from the developer's view. It would be great if you could take a couple of minutes and think about the questions below.
The questions are mostly open-ended. Not all may apply to all developers, but I've chosen to not only address project leads. Elaborate and skip questions at will.
Thank you very much in advance. I will provide you with the results of my thesis when it's done it you want. There will probably be some findings about what can be done to prevent security vulnerabilities, in particular XSS and SQL injections in open source web applications.
Florian
The questions:
About technical aspects: - Are you using a web application framework? Which one? - Do you use explicit data modeling for all business objects in the application? - Do you have a specific layers for input/output validation/filtering? (If applicable) What does the input/output layer do (respectively)? How? Are you using external libraries? Why? Why not? (for HTML sanitation. object-relational mappers, database abstractions with prepared statements)? - (If applicable) What responsibilities do the input/output layers have, respectively? - How do you ensure that all input passed through validation/ filtering? Do you have an API that must be used? - Do you provide services to independently developed modules/ components? Is there a defined API? - Which other external libraries do you use?
About the development process: - Is there public documentation about the responsibilities of the input/output layers? - Is there public documentation about *when* input/output validation/ filtering should happen? (Like: "output filtering must always happen in the method that renders the data") - Do you have automatic tests for the whole system?
Bonus question: - Do you do manual code review?
-- Khalid M. Baheyeldin 2bits.com, Inc. http://2bits.com Drupal optimization, development, customization and consulting. Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra Simplicity is the ultimate sophistication. -- Leonardo da Vinci
participants (3)
-
Andrew Berry -
Florian Thiel -
Khalid Baheyeldin