Tuesday, January 27, 2009

Web Developers: Don't Reinvent the Non-secured Wheel

I'm thinking about beginning another web project. Before one gets coding the fun part of any web application, though, there is tons of core code that needs to we written: login, user management, session management, user registration, logout etc. But writing secure applications can be tricky, and any attempt to roll your own is likely to have security flaws. Open source can solve both of these problems: the code is already written, letting you get onto the fun stuff; and if it's been vetted by a large developer community already you get the security benefit of past mistakes fixed.

One might think that reference implementations would be readily available for these in all web languages, and that we would all be using them by now.

Kudos to OWASP for developing it themselves, in their Enterprise Security API (ESAPI) Project. It details all the functions that a secure application needs. Much more, though, they also offer reference implementations in Java.

I'd love to see the web development community support this project by developing reference implementations in pHp, ColdFusion, and .net. Implementations in each of the popular frameworks would go a long way toward making the web a safer place, and would make the development of every new web application that much easier.

No comments: