RustProof Labs: blogging for education (logo)

Slow Down and Think

By Ryan Lambert -- Published February 25, 2014

I know, it's 2014 and we shouldn't have to think anymore, but let's just take a moment and think for a bit anyway. You might have seen news about an internet-enabled refrigerator sending spam emails lately, which might seem minor but it indicates a bigger problem of internet enabled devices that have zero or minimal security built in.

Faster, Faster, Faster!

This morning I happened across another post stating death of the DBA (yet again) which speaks to the benefit of faster development:

Times to market are down, innovation is up, and the programming languages that enable this kind of agility have exploded in popularity-node.js, php, and python apps are the new commonplace. Everything is just moving faster.

Sure, faster development is good in general. But especially when I see "faster development" mixed with "PHP" I start getting concerned. This isn't a complaint about PHP in general, but it's all to easy to deploy very bad, very insecure apps that run great for the end user.

Let's say I decided I want to build a web app in PHP and need to know how to insert data into the database from a form. I might search for how to do this using a search string like: "php insert to mysql". The very first result that comes up in Google is this page on W3Schools which shows an example of building the INSERT statement using unfiltered form input:

$sql="INSERT INTO Persons (FirstName, LastName, Age)  
    VALUES  
    ('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";

DO NOT DO THIS! Ever. But when it's much easier to find bad examples than good ones....

Developer Extraordinaire

Let's say I developed my first ever web-app using the example above and it was a great hit! The three friends I have all use it and say it's the greatest thing ever, so I build a couple more PHP applications that my friends think will be cool. Not only did two of my three friends like the new apps, but a few of my extended family members and a friend of the family all tried it out and love them. At this point I should have picked up some better habits and no longer trust $_POST variables without validation, but it's quite likely that I have become an Expert Beginner.

As such, Advanced Beginners can break one of two ways: they can move to Competent and start to grasp the big picture and their place in it, or they can 'graduate' to Expert Beginner by assuming that they've graduated to Expert.

The problem with the Expert Beginner, is that he truly believes he's an Expert when, in fact, he simply has no idea how ignorant he is. Now combine an Expert Beginner with even faster development and a low bar of entry and what's the result? An increasingly larger number of really bad, insecure apps. Now, go ahead and throw "NoSQL" databases into the mix flaunting the "benefits" they offer of schema-less design, scalability, and more. Now as the Expert Beginner developer, I have even less structure using less mature systems with fewer people who could potentially help me support it. I think I would prefer to continue living in Spreadsheet Hell.

What To Do?

That's a good question and I don't have the answer, but I think the industry as a whole needs to take a step back and think through the implications before acting. Instead of just jumping in and going full steam assuming that every new product is good, take time to learn and think about the implications. Will your application be connected to the wider Internet? How is it protected? Are your form inputs properly validated? Have you thought about SQL Injection?

Just because it has become much easier to become a developer, doesn't mean there's less to learn. There's more to learn every day so let's all pause for a moment and think about what we're doing. Continuous learning, training, and thinking is a requirement to be even a decent developer.

By Ryan Lambert
Published February 25, 2014
Last Updated April 13, 2019