views:

85

answers:

3

Programming languages/environments aside, are there many developers who are using a framework in PHP, ORM and still abide by encapsulation for the DAL/BLL? I'm managing a team of a few developers and am finding that most of the frameworks require me to do daily code inspection because my developers are using the built in ORM.

Right now, I've been using a tool to generate the classes and CRUD myself, with an area for them to write additional queries/functions. What's been happening though, is they are creating vulnerabilities by not doing proper checks on data permission, or allowing the key fields to be manipulated in the form.

Any suggestions, other than get a new team and a new language (I've seen Python/Ruby frameworks have the same issues).

+4  A: 

Throwing away a team is never an option: improve it instead!

  • Arrange security workshops to make them more aware of these issues.
  • Introduce (or even better: ask them to introduce) code guide lines for better handling these problems (a security-aware hungarian notation or usage of prepared statements are two examples)
  • Address the short-comings in code reviews - don't blame them for ignoring security, just show the problematic snippets you found and explain that security is very important to [choose one: this project/the customer/your company's reputation/you personally]
  • Let them do security audits on their own or their peer's code. Let them find out how easy it is to exploit such security flaws.
  • Find other tools/frameworks that better support your security model. But be warned: this option is very expensive! Your programmers will need to maintain code in the old framework and learn a new one (worst case: they will need to learn a new language along with the new framework)

But basically this is an issue that you have to solve collaboratively with your developers. If you declare war on them, you're bound to lose (regardless of the outcome for the developers.)

soulmerge
Thanks. I have introduced guidelines, code reviews, security reviews, etc. Ironically, they have a grasp on XSS/SQL injections, and others (mainly because the framework handles it).My issue is they'll pretty much replicate a scaffold environment, where they fail to check proper access permissions for data. I've had them go through the use cases, unit tests, etc, but they'll modify the models to expose all the private methods/members to make it "easier" for them and simply use the CRUD type statements allowing anyone to manipulate other users data's by changing the id in the form.
Ian
If you can't get them to work on the security issues, maybe you should ask external developers to try to hack your own site. Enter each successful hack as a bug into your bug tracking system. This way both you and your developers will get metrics how secure the application really is. People learn from mistakes far better then from someone else just saying so.
soulmerge
+2  A: 

To me it sounds like you want to improve coding culture. Have a look at the Rules of Extreme Programming. Maybe you can adopt a few techniques.

Basically, I get the impression there is very little communication right now between the developers and you. I might be just reading that into it, but to me it sounds like the devs are locked in the cellar and you are sitting somewhere else and getting frustrated about them. Change that kind of thinking. You are part of the team.

If your developers are not aware of the vulnerabilities they introduce into the code, consider having weekly code reviews. Let the developers talk about the code they wrote. Let them learn from each other. Make the code collectively owned. Foster learning and constructive criticism.

Remember, there is no I in Team.

Gordon
Thanks. Corporate climate aside, I'm at about one day a week reviewing the code. I have documentation for what they should be doing. I review the steps before, hold the "workshops", yet they fail to listen. I've followed XP programming, tried agile, etc. The "team" feels they know better then everyone else.I may end up writing all the models myself, since they go and expose the private methods and properties anyways.
Ian
@Ian you could use some of the tools at phpqatools.org to write code sniffers that detect coding violations and prevent VCS check-ins or to generally prove your point about the code quality. But if there is already fronting, maybe it makes sense to hire a neutral external consultant like sektionseins.de or thePHP.cc (not affiliated with them - just naming the most well known).
Gordon
A: 

May I recommend Nepthali? It's not an ORM, but the framework is designed to force security. I.E. all variables are encoded before output to the screen; unless explicitely defined not too.

It's also fairly lean, having no ORM, etc. so you can plug whichever ORM into it you want. It's pretty nice, actually.

Zachary Spencer
Thanks, but security issues I'm talking about is failing to check if a user has access to data. So they'll write a generic load function by a primary key and use that for everything, since they only "test" against one user. The CRUD methods all follow this issue, so as long as they have access to the data, they expose it to the user.
Ian