Tuesday, January 27, 2009

Web Developers: Don't Reinvent the Non-secured Wheel

I'm thinking about beginning another web project. Before one gets coding the fun part of any web application, though, there is tons of core code that needs to we written: login, user management, session management, user registration, logout etc. But writing secure applications can be tricky, and any attempt to roll your own is likely to have security flaws. Open source can solve both of these problems: the code is already written, letting you get onto the fun stuff; and if it's been vetted by a large developer community already you get the security benefit of past mistakes fixed.

One might think that reference implementations would be readily available for these in all web languages, and that we would all be using them by now.

Kudos to OWASP for developing it themselves, in their Enterprise Security API (ESAPI) Project. It details all the functions that a secure application needs. Much more, though, they also offer reference implementations in Java.

I'd love to see the web development community support this project by developing reference implementations in pHp, ColdFusion, and .net. Implementations in each of the popular frameworks would go a long way toward making the web a safer place, and would make the development of every new web application that much easier.

Saturday, January 3, 2009

Journalspace.com dies instantly, for lack of a smart CTO

Hearts out to anyone who blogged on Journalspace.com. The service is dead now, in a heartbeat, because they did not back up their data. Ever, apparently.

Hard to believe a website can remain popular for six years, whilst its IT team merrily whistle through their work day without once stopping to think about data backup.

Maybe I'm myopic, but I've seen this happen with companies started by business and marketing people without a technical stakeholder, albeit no implosion has been so instantaneous. Not everyone can be technically minded, but if you aren't, and you are starting a dot com, better hire someone who is, give them a stake in the company, and listen to them about things like contingency planning.

So, what would you do if your data was lost? This question applies to home users and business people alike. As a CTO, this question should keep you up at night, in many different manifestations:

- What if a HD in the database server goes?
- What if the whole database server blows up?
- What if your web server blows up?
- What if your data center goes off line?
- What if the CEO looses his laptop?
- What if someone hacks into the development environment?

There are hundreds of variations on this theme. Good sleep is for the naive, and the retired, and those that have worked very hard for high availability, disaster recovery, and security.