It is hard to believe I have been working on Java code for over ten years. I remember getting started in Java working on JSPs or Java Server Pages and Servlets which included putting scriptlets in my JSPs. Later on, I learned how that was frowned upon by true Java programmers. As we develop our Java skills we learn from senior team members as well as from books and blogs we read. Today, we are going to go over some ‘Java gotchas’ and how to avoid them.
A web framework is used with most online systems as a way to organize and structure your code. We’ll dive into the definition of web frameworks and their important role in a system. For most of my work I use Java so we’ll be sticking with web frameworks specific to Java.
What is a web framework?
A web framework is like the support beams of a house. It provides a structure or template of resources, services, and APIs to alleviate the overhead associated with web development.
Why are web frameworks important?
Choosing the right framework upfront is critical as a huge amount of effort is required to switch later. There are a lot of factors to consider such as ease of use, security, efficiency, and maintainability. An active and popular framework is important as this gives developers more tools, community, and resources to leverage during development. This also means that patches should come out regularly to resolve bugs and security vulnerabilities. Also keep in mind to look at implementation best practices around the framework to ensure future maintainability and easier upgrades.
The Equifax breach
As you may have heard, Equifax is a credit reporting agency that was in the news recently for a cyber attack. The attackers exploited something called the CVE-2017-5638 Apache Struts 2 vulnerability, which was patched two months earlier. This exploit allowed for remote execution of commands. Apache Struts is a mainstream web framework, and it’s been reported by ZDnet that at least 65 percent of the Fortune 100 utilize this framework. Most of our client projects use Struts so we addressed each one to ensure they were not affected by this vulnerability. Apache releases patches regularly and in this case the exploit was a critical 10 score which is the highest on the scale.
Patching web frameworks can often get overlooked with server patches and bug fixes, but they are just as important. If your system houses any personally identifiable information (PII), it’s absolutely critical to keep the framework on the latest patches. Most patches are a simple swap and replace of the current jar library, but others may need more effort.
What framework is most popular?
Spring’s MVC framework has been one of the most popular for a few years now, according to zeroturnaround.com. It’s very flexible and typically easier to test due to its use of dependency injection. The logic is separated out to make it easier to narrow down bugs and the framework is organized like a REST API. Zirous has implemented this framework for multiple client projects. Our internal team, previously very familiar with Struts framework, is now knowledegable in Spring MVC through training and education prior to client work. Other popular frameworks include JSF and Grails; Struts is still hanging on as well. These frameworks all have their advantages and disadvantages, so it’s important to make sure you do your research to find which best suits the requirements and complexities of your project.
What’s the takeaway?
Upgrading and patching the web framework of your applications is just as important as any other part of your systems. Do your research to leverage the best framework to meet the time constraints and complexity of the project. Of course, if you need to speak to an expert on frameworks or patching, you can contact Zirous today.