[development] Process and technology questionnaire

[Florian Thiel]

Hello drupal developers,

I'm in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about your fine project from the developer's view. It would be great
if you could take a couple of minutes and think about the questions
below.

The questions are mostly open-ended. Not all may apply to all
developers, but I've chosen to not only address project leads.
Elaborate and skip questions at will.

Thank you very much in advance. I will provide you with the
results of my thesis when it's done it you want. There will probably
be some findings about what can be done to prevent security
vulnerabilities, in particular XSS and SQL injections in open source
web applications.

Florian

The questions:

About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
  application?
- Do you have a specific layers for input/output validation/filtering?
  (If applicable) What does the input/output layer do (respectively)?
  How? Are you using external libraries? Why? Why not? (for HTML
  sanitation. object-relational mappers, database abstractions with
  prepared statements)?
- (If applicable) What responsibilities do the input/output layers
  have, respectively?
- How do you ensure that all input passed through validation/
  filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
  components? Is there a defined API?
- Which other external libraries do you use?

About the development process:
- Is there public documentation about the responsibilities of the
  input/output layers?
- Is there public documentation about *when* input/output validation/
  filtering should happen? (Like: "output filtering must always happen
  in the method that renders the data")
- Do you have automatic tests for the whole system?

Bonus question:
- Do you do manual code review?