Application Security Testing: An Integral Part of DevOps
The source code
The project described in this article is hosted on mform.codeplex.com.
You will find the most recent version (the project is recently updated) here.
It is most likely that you have seen
probably the best beer in the World
commercial. Less chances are that you have heard of the
MForm webcontrols. And if you are like me a web developer struggling with
writing web forms that collect and process loads of data, you surely might find
the described controls interesting.
The MForm webcontrols project has been started in the IT departament of Bank Millennium, Poland, a place where I work. It has been recently published under the Microsoft public license.
If you have ever applied for a loan or a mortgage, you already know that banks want to know as much as possible about their clients to minimize the risk of giving too much money to a person that cannot afford returning it in the future. All of this data is filled in by bank consultants into bank's intranet application during a meeting with the client.
The duty of a bank IT developer is then to:
- define the data contract (a data structure and data restrictions) for the information that the business department wants to collect;
- create a web form (or several web forms) that collects the data according to the data contract;
- validate the fields in the web form against data restrictions;
- combine the data from the fields into the data structure;
Finally the data is sent somewhere else, where it is used to make a decision about the client.
What struck me, was that all of these tasks looked like they could be made at least partially automatically. The forms could be generated directly from the data contract (in our case the data contract was defined using XML schema), the validations (at least those basic ones as checking field requirement, its maximal length, matching a pattern or maximal value) could be also taken from the data contract, finally the data combining (creating an output XML instead of a collection of fields) could be done automatically.
Still, the solution had to be extensible enough to:
- allow modifying the created forms visually after the generation;
- allow adding custom business validations that would work the same way data validations work;
- make the process of creating the forms as easy as possible, so that even an unexperienced developer could prepare at least a web form sketch;
- be efficient and use Ajax to eliminate unnecessary PostBacks;
- use generic ASP.NET controls and solutions wherever possible;