[TYPO3-dev] Process and technology questionnaire
Florian Thiel
flo.thiel+typo3 at googlemail.com
Tue Mar 31 14:49:29 CEST 2009
Hello Typo3 developers,
I'm in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about the process and technology related properties of tyour fine project.
It would be great if you could take a couple
of minutes and think about the questions below. The questions are
mostly open-ended. Elaborate and skip questions at will. Since you are
a framework yourself, some questions might not apply directly. You are
also welcome to relate to plans for Flow3.
Not all questions may be relevant to all developers. I've chosen a
rather inclusive format to not only get opinions from project leads.
Thank you very much in advance. I will provide you with a link to the
results of my thesis when it's done.
Florian
The questions:
About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
application?
- Do you have a specific layers for input/output validation/filtering?
(If applicable) What does the input/output layer do (respectively)?
How? Are you using external libraries? Why? Why not? (for HTML
sanitation. object-relational mappers, database abstractions with
prepared statements)?
- (If applicable) What responsibilities do the input/output layers
have, respectively?
- How do you ensure that all input passed through validation/
filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
components? Is there a defined API?
- Which other external libraries do you use?
About the development process:
- Is there public documentation about the responsibilities of the
input/output layers?
- Is there public documentation about *when* input/output validation/
filtering should happen? (Like: "output filtering must always happen
in the method that renders the data")
- Do you have automatic tests for the whole system?
Bonus question:
- Do you do manual code review?
More information about the TYPO3-dev
mailing list