• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Contrast Security: Frameworks

 
Creator of Enthuware JWS+ V6
Posts: 3411
320
Android Eclipse IDE Chrome
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeff,

In our company we have the tendency to go for EE6 all the way: no dependency on external frameworks like Spring, Struts etc.

  • Do you think that the EE6-libraries are safer than external frameworks?
  • Are security issues always related to the frameworks being used or does it have to do with the lack of knowledge of developers?
  • How do you keep your product up to date with all the security issues of the different frameworks in the market?

  • Regards,
    Frits
     
    Contrast Security
    Posts: 9
    5
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Great questions...

    > Do you think that the EE6-libraries are safer than external frameworks?

    No. Not not necessarily. It's possible to write a secure or insecure app using just about any framework. In theory, frameworks should provide the standard security controls to make security easier. Unfortunately, many of them are so powerful that they make some kind of security mistakes easier. In the end, it's really about understanding the technology, and making sure that there are defenses in place for the risks you foresee.

    > Are security issues always related to the frameworks being used or does it have to do with the lack of knowledge of developers?

    I don't look to framework to solve every security issue, so there is a lack of knowledge issue associated with every security flaw. However, I'm optimistic that frameworks can be used to make security massively simpler for developers.

    > How do you keep your product up to date with all the security issues of the different frameworks in the market?

    Two ways. First, because Contrast runs inside the running application we don't have to know as much about the inner workings of the framework as, say, static analysis tool. But we do have an excellent research team that make sure our product works properly on new frameworks. You should see our test suite... We test on about 20 different containers across six or seven operating systems and all the major frameworks. Each one of those combinations gets thousands of test cases run every time we change our agent.
     
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Posts: 3411
    320
    Android Eclipse IDE Chrome
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Thanks for your answers!
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    reply
      Bookmark Topic Watch Topic
    • New Topic