Application Security Testing: An Integral Part of DevOps
It has been a great ride! Very few times in history have been more revolutionary than this era in which you live. Lots of great things occur at an astonishing speed (sometimes bad things). With the Internet, ideas flow more freely than ever before. As always, humans are learning how to exploit this new medium.
In the programming industry, there has always been this tendency to look for the holy grail of codeless software development. There are many ideas of having some sort of subject matter expert code (wizards) writing your tedious code for you. The danger you face as programmers is the tendency to grow dependent on these tools to the point where you lose your ability to code or perform certain tasks yourself. I personally don't have any problem with automation as long as it truly solves a problem for me without leaving me impotent. Often, you are given tools that are very glossy and cool but do not cover every possible situation. No tool can, really. So, when the tool fails, you are royally screwed. To me, that's a real problem.
"Don't you see the danger in what you are trying to do here? You took what others had done and before you knew what you had, you packaged it and..."
I am, of course, paraphrasing from of a line in Jurassic Park. However, I believe it is very applicable to the point I am trying to make. My warning is for you to be aware that every time you take a shortcut in order to meet a deadline, it may come at a subtle but serious price. Be aware of the tradeoffs in question. I realize we all have to make compromises to get things done. But, be aware of the cost of such shortcuts to you as a developer. Okay, by this time you must be asking. What exactly is your point? I tell you by sharing a real life experience.
I am going to take a very small slice of a simple application I am currently working on. This application is not glamorous or sexy. I needed to have a dynamic page that could deal with multiple tables and somewhat dynamic column definitions. It would not have been practical to create a static page to handle each of the possible conditions. It had to be dynamic enough so that a rules change would not require a new maintenance page.
I set out to prototype my requirements a little at a time. I normally break down my problem into smaller problems, then try them out with code whose only purpose is testing the feasibility of my plan. The problem was to create a Master/Details page of a very dynamic nature. The traditional examples provided by Microsoft always involved the use of data source controls such as SqlDatasource and ObjDataSource. These guys and a dose of wizards and you had a static page that would do part of the job. And, the great thing was it was done in minutes! Only one problem, it was static. I could not see how I could turn this declarative crap into a dynamic page capable of handling multiple queries dynamically by one GridView and DetailsView control. I needed some code to do this.
I broke down my code even further and started with just a GridView on my page. I knew this control has a property called DataSource. I knew what it did based on my experience with DataGrid. Back in those days, you did a lot stuff programmatically. All I had to do was provide a reference to a DataSet or DataTable then invoke Databind method and I was done.
Dim b As New BusinessRules.BusinessRules GridView1.DataSource = b.GetCustomerList GridView1.DataBind()
I ran into a number of issues with the DetailsView, however. I decided to Google the problem. I spent a considerable amount of time on this and didn't find much. Then, I went to one of the Microsoft forums and asked the question. The response was surprising; some guy named Phil started to berate me about my improper use of the Detailsview and told me that what I wanted to do could not be done because was not designed to be used in that manner.
I don't know about you guys, but I felt those were fighting words. I proceeded to flame the guy to no end. A day later, I posted part of the answer on how to perform column definition and bind all programmatically, without the use of a datasource. This is what I intent to share with you guys in the hope that something of some value comes out of this. Maybe some of you have even a better approach. This I would love to hear, or just your opinion.
So, my prototype looked something like what you see below. I had a drop-down to simulate my dynamic table or queries and the idea was that this page would adapt to the query dynamically and render the information.
The finished product looked as shown above and it was all done programmatically.