Application Security Testing: An Integral Part of DevOps
The article deals with an important question, one that raises lots of debates in the .NET software architecture world. Should you choose "web application" or "desktop application"? A Rich-Internet application or a smart client?
The reason why this question is asked so frequently recently is that both technologies are getting closer and closer and when the distinctions becomes fuzzy the decision is harder to make. For example, Smart client introduces smart deployment and diminishes one of the most cons of desktop application. With Ajax, web applications run faster and with enhanced user experience.
Many companies choose technology because this is what the current developer knows and is good at. Choosing the right application type is crucial in many businesses. The end users and the business problem on hand are the ones who should take the lead in the decision making. This article does not deal with a certain business issue. It spreads the common cons and pros of each technology.
I choose to face with this question in a dialog form. The dialog is conducted between two software architects: Socrates, a web application advocate; and Plato, a desktop application advocate.
The dialog format allows me to not take a stand. In a matter of fact, I don't have a stand. I think both technologies are great and, when there is a need to choose one of them, it should be according to the business problem. You are most welcome to join their imaginary debate held in modern Greece in one of the Tech-Ed .NET seminars.
Socrates: But Plato, your claim about the needs for constant software upgrades only strengthens my argument that web applications are the best technology. In web application, the application is actually located on a remote server that you can upgrade whenever it's needed and it reflects to your users online. In other words, when all the code is in one place, everyone sees the latest release.
Plato: Well, with ClickOnce technology, a Windows-Form application can be deployed and launched from the Web. With this type of technology, software upgrades have never been easier to maintain.
Socrates: Oh, I heard about what it is capable of, but isn't too cumbersome to accomplish? You do need to make all the assemblies strongly named and the number of folders and files it created on the web server is quite—well—cumbersome. Moreover, who wants to install a desktop application on his hard drive if he does not have to?
Plato: Well, I guess this technology will be improved by the Redmond fox in the future. Right now, the user can choose between offline and online executions. In both modes, the application is installed on the machine. The difference is that in offline mode the application can be jump started and get updated from the desktop whereas in online mode it can be run only from the web link as before. Please also know that ClickOnce is not the only solution. A "home made" solution like using a Web-Service that the desktop application communicates with, checks, and install updates is easy to develop.
Socrates: So, you are basically saying that in online mode, which is closest to running a web application, the application is reinstalled again and again in each run. What if it is a big application in term of Mega bytes? Well, my dear Plato, I rest my case.
Plato: No, you haven't, because there is some kind of caching mechanism that improves this behavior. I guess, the .NET Framework only downloads the required files.
Socrates: Hmmm... .NET Framework, you said. Do I smell a software perquisite in the air?
Plato: You do smell well, but understand that the user does not need to have the .NET framework on his computer or to preinstall it manually. The deployed ClickOnce application can be easily defined to support the installation of the .NET Framework (bootstrapper). Dear Socrates, as you well know, web applications commonly require ActiveX installations. Those requirements often scare users because they commonly cause the web browsers to display intimidating security.
Socrates: Well, you are right; today's web browsers do cause lots of headaches. But, Windows firewalls often do the same for desktop applications.
Plato: In desktop applications as opposed to a web-browser, the application has rights that are granted from the logged-on user. It can reach to system data such as IP Address, Registry, Files, Windows Shell integration, and so forth. In a script mode, the web application is very limited and the ActiveX technology is one of the last resorts. web application cannot leverage local resources like CPU or installed software either. Moreover, isn't it true that ActiveX is also being used in web application to enhance graphic capabilities such as charts and Maps?
Socrates: Well, it depends on what the web application is obligated to do. But, yes it is often used for more complex and some kind of fancier UI controls.
Plato: I guess you will also agree that web applications will never be capable to support GUI and visualization functionalities like desktop application. For example, the user interface must travel back and forth across the web to be refreshed.
Socrates: I wouldn't say ever. Ajax, for example, enhances the UI capabilities.
Socrates: With today's ASP.NET technology, server code (code behind) can be written in a high-level language (any .NET-aware language) that can, of course, be debugged. As for client- and server-side scripts, I am afraid you are right. Plato, with you permission I would like to talk about application availability. As you recall, in web application the application is available and can be accessed from anywhere without installing anything on the client machine. For example, Gmail is a web-based email application. You can enter your Inbox no matter where you are. In case you are entering an Internet café, you surely will be permitted to enter Gmail but not to install any application on the machine.
Plato: Yes, I see your point. But what if I am in my home or at the office and I want to see my emails but the Gmail server is down or I have temporarily lost my Internet connection? I will not be able to see my emails, right? web application must be connected to the server all the time. In other words, desktop applications offer better offline and caching capabilities. There is no need to waste time waiting for screens to refresh or networks to become available
As opposed to:
Socrates: Well, if you need smart caching and offline capabilities, you are right. Another thing that I would like to mention is a cross-platform capability. If your desktop application is targeting a world-wide use, will you be able to install it on Linux and on Windows OS? Even if you have decided to support only the Windows OS family, you will still need to support and test your application on lots of versions like: 98/ME/NT/2000/2003/XP/Vista, not including sub versions like the Home and Professional editions.
Plato: At the beginning, you almost had me convinced, but then I figured there are a lot of web browser vendors and lots of web browser versions. Also, there are a lot of technologies like ActiveX and Flash that will not work on Mac web browsers. Nevertheless, you are right that, if the web application is simple enough, it will be easier to support world-wide users.
Socrates: Well, working with a markup language like HTML also holds lots of simplicity and flexibility capabilities.
Plato: It is true! But, at the same time, it is also very limited. With the XAML markup language, desktop applications also enjoy the flexibility like HTML plus much more enhanced UI capabilities.
Socrates: Okay, Plato, we are not even close to ending this debate, but I do need to go. I have a meeting with Xenophon at the local SPA.
Plato: Adio! Socrates. Send my regards.
What Does the Future Hold?
It is hard to say what to future holds. One should be a prophet to tell. My guess is that we are going to be faced with the article's question for a long time, at least for the near future. Looking at brand new developing styles like Smart-Client and Ajax makes you think that no new revolutionary progress have been made in the last years.
- "AJAX is not a new programming language, but a new way to use existing standards." (http://www.w3schools.com/ajax/default.asp)
- "Smart client isn't a technology, and it isn't any specific architecture. It is a style of application that combines the best of both desktop applications and web applications."(http://msdn.microsoft.com/smartclient/community/scfaq/default.aspx)
Some of the commonly used technologies are really very old:
- ActiveX in 1990 (http://en.wikipedia.org/wiki/ActiveX)
- VB in 1991 (http://www.startvbdotnet.com/dotnet/vb.aspx)
- In 1994, the very earliest version of HTML was introduced (http://www.w3.org/MarkUp/historical).
- Flash—in 1996
Smart-Client vs. Rich-Internet-Application (RIA)
"Rich Internet applications (RIA) are web applications that have the features and functionality of traditional desktop applications. RIAs typically transfer the processing necessary for the user interface to the web client but keep the bulk of the data (in other words, maintaining the state of the program, the data, and so on) back on the application server" (http://en.wikipedia.org/wiki/Rich_Internet_application). Rich Internet Applications are already here. Google is one of the world leaders in Rich-Internet applications. Here are some of examples: Gmail, Google Calendar, and Google Docs and Spreadsheets.
Rich Internet applications characteristics:
- Run in a web browser
- Are typically much more responsive than a standard web applications
- Have a richer UI
- Have the look and feel of a desktop application
- Are delivered over the web
- Do not require installation
- Automatically update without user action
- The complexity of applications is increasing
- Connectivity and Network awareness: Different application types to the same source of data. Connect to the data from mobile or desktop applications at the office and over the web when out of the office
- A2A: similar to B2B only with applications that can talk with each other by using standards such as Bluetooth for mobile devices.
- Save data online: Google Bookmarks, for example, and MS Messenger keep the user information like Favorites in the web. This allows the user to see the stored data from different PCs.
- Application recovery: Return to previous state no matter what happened to the last application run.
Choosing the right technology must be the anchor to the business problem on hand. You would not develop a diagram drawing an application like MS-Visio as a web application as you would not choose a desktop application for the Amazon book store. The article describes some of the cons and pros of each technology. Knowing them is a good start for decision making.
- Smart Client FAQ http://msdn.microsoft.com/smartclient/community/scfaq/default.aspx
- What is a Smart Client anyway? http://blogs.msdn.com/dphill/articles/66300.aspx
- Ajax.org http://www.ajax.org>http://www.ajax.org/
- The future of application virtualization http://www.cbronline.com/article_cbr.asp?guid=5191C403-22CD-47F4-98BB-FBF22219C4E0
- Rich Internet Applications: Design, Measurement, and Management Challenges, Keynote Systems, 2006 http://www.keynote.com/docs/whitepapers/RichInternet_5.pdf