When creating a web project, whether large or small, the process of selecting the underlying platform is an art. Although most developers, web architects, and stakeholders are generally aware of the security necessities it is often the last item on their long list of daily priorities.
It must be stressed to development teams that the choice of platform, language and framework can have profound implications regarding the security of the final product.
A new project must first start by selecting a language and then a framework. Often times an organization will standardize one language, such as “pure Java EE” or “pure .NET,” however it is common that larger organizations will have a wider range depending on their mix of off-the-shelf software, remnants of inherited technologies and code written by outsourced companies. On top of this, the mobile world is forcing most organizations to have a smattering of additional technologies to support the ever-growing litany of popular, must-have devices, and with all of this to digest the importance of the right foundation often gets lost in translation. It must be stressed to development teams that the choice of platform, language and framework can have profound implications regarding the security of the final product.
Platform and framework decisions are often based on multiple variables such as in-house talent pool, approved technology stacks, availability and price of developers, cost of licenses, but what is often never considered is the inherent security of the platform. While some do have built-in protection, such as the ASP.NET platform that protects against XSS, CSRF and SQL Injection, along with vetted security controls to simplify authentication, access control and a number of other risk-prone areas, others such as PHP either have very little or none at all dependent on framework. In order to make the right decision for the project, it is necessary to factor in additional research on security controls or training on navigating built-in controls before a project even starts.
In some cases, it may be appropriate to pick a framework that has been further fortified against attacks. The Mozilla "Playdoh" projects is a Python-Django based framework that includes additional fortifications against common web application risks, whereas ASP.NET has fantastic, built-in security features, however it can lock into a vendor-specific stack unless it is an open source implementation.
If looking into Java, projects such as Apache Shiro, Spring Security, JAAS, among others, can be used to implement added security around applications, however it is important to understand the need for additional security expertise will still be necessary for protection against a wider assortment of web risks.
PHP dominates the web landscape, yet from a security perspective the wide assortment of frameworks and do-it-yourself security controls has contributed to its reputation as vulnerable. However, as the understanding of web risks mature, PHP frameworks has also matured, and now the popular PHP based "Yii Framework" touts security as a first-class feature, with built-in controls to mitigate SQL Injection and cross-site scripting, as well as input validation, outbound encoding, authentication and authorization controls.
The one major drawback to depending on framework for security is the inevitable security flaw in the framework itself—even if developers pursued best practices, the resulting web application would remain vulnerable. There is no easy answer, and just like operating systems are continually being patched against threats, web applications will also ultimately go down this route. Applications should be cataloged, monitored and ultimately decommissioned, ultimately ending the vulnerable era of "forgotten web apps."
Factoring in security options when selecting a framework will not only save time money and resources, but it will dramatically reduce the tedious efforts of continuously chasing “after-thought” security needs in the long run.
For a matrix list of popular frameworks and the security controls they contain, check out the OWASP Web Framework Security Matrix.
**Neither Jerry Hoff nor WhiteHat Security has any business or financial relationship with any company or product mentioned in the post.