[TYPO3-dev] Process and technology questionnaire

Florian Thiel flo.thiel+typo3 at googlemail.com
Tue Mar 31 14:49:29 CEST 2009 

Hello Typo3 developers,

I'm in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about the process and technology related properties of tyour fine project.

It would be great if you could take a couple
of minutes and think about the questions below. The questions are
mostly open-ended. Elaborate and skip questions at will. Since you are
a framework yourself, some questions might not apply directly. You are
also welcome to relate to plans for Flow3.

Not all questions may be relevant to all developers. I've chosen a
rather inclusive format to not only get opinions from project leads.

Thank you very much in advance. I will provide you with a link to the
results of my thesis when it's done.

Florian

The questions:

About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
  application?
- Do you have a specific layers for input/output validation/filtering?
  (If applicable) What does the input/output layer do (respectively)?
  How? Are you using external libraries? Why? Why not? (for HTML
  sanitation. object-relational mappers, database abstractions with
  prepared statements)?
- (If applicable) What responsibilities do the input/output layers
  have, respectively?
- How do you ensure that all input passed through validation/
  filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
  components? Is there a defined API?
- Which other external libraries do you use?

About the development process:
- Is there public documentation about the responsibilities of the
  input/output layers?
- Is there public documentation about *when* input/output validation/
  filtering should happen? (Like: "output filtering must always happen
  in the method that renders the data")
- Do you have automatic tests for the whole system?

Bonus question:
- Do you do manual code review?

More information about the TYPO3-dev mailing list