Another day, another silver bullet. The world of software development changes so rapidly, it is sometimes hard to keep track of all novelties and innovations available to us. To make things worse, with every new framework, there will be those that claim it to be the solution to all your problems.
Surely the use of frameworks is a good thing, right? Well, this talk will explore some arguments against that proposition. We will look at how the use of frameworks might impact the security of your system; what other downsides there are of using some frameworks and even how the reliance on frameworks could be impacting the ability of developers to understand what is going when things go wrong.
Apart from being cautionary, this talk will also show there is a large opportunity for learning in trying to understand frameworks. Being critical and curious will lead to greater understanding which leads to better choices.
3. Once upon a sprint...
File uploaded
Token expires
Token validated
4. Spring Web
• Client uploads file
• Spring reads entire request
upload into temporary file
• Spring validates headers
• OAuth interceptor
validates token and fails
Vert.x
• Client uploads file
• Vert.x reads request async
• Vert.x offers access to
headers
• OAuth interceptor
validates token
• File upload continues in
background
5.
6.
7. What is a framework?
Definition of framework
- a basic conceptual structure
- a skeletal or structural frame
8. What is a framework?
Definition of software framework
- a reusable set of libraries
- prescribes a structure to follow
- provides abstraction to hide complexity
9.
10. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
16. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
🎉 🤨
22. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
- Free Bloatware
🎉 🤨
26. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
- Free Bloatware
- Transitive Dependency Risks
- Free Security Risks
🎉 🤨
27.
28. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
- Free Bloatware
- Transitive Dependency Risks
- Free Security Risks
- Unexpected Features
🎉 🤨
29.
30.
31. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
- Free Bloatware
- Transitive Dependency Risks
- Free Security Risks
- Unexpected Features
- Free Malware / Miners
🎉 🤨
32.
33.
34.
35. Why do we use frameworks?
- Unified structure of components
- Free Features
- Easy to switch projects
- Collective Bugfixing
- Time To Market
- Framework Jungle
- Free Bloatware
- Transitive Dependency Risks
- Free Security Risks
- Unexpected Features
- Free Malware / Miners
- Loss of Technical Knowledge
🎉 🤨
45. Well what should we do then?
- Have the courage to switch
- Be curious and learn about the differences
46.
47.
48.
49. Well what should we do then?
- Have the courage to switch
- Be curious and learn about the differences
- Stay critical of included code
Editor's Notes
Why and how? Idea started a few years back.
Who was at Tom Cools’ talk?
Two years ago this was a lightning talk (plug it)
Example: upload svc anecdote
Realise: dependent on framework
Next: ranting about Spring?
No, not just rantin. I see a set of behaviours that I want to address.
Industry is in framework-lockin
Next: What is a framework
Before begin: define framework
Literally it is the frame of a piece of work, or the frame on which a work can be built
Next: what is a software framework
Next: We love frameworks
and Frameworks are everywhere!
No projects without frameworks
No surprise, they are helpful -> remove repetitive work, add abstractions
Next: why do we use frameworks
sounds great right?
Next: rainbow
Let’s build a case against frameworks
Next: sheer amount of frameworks
Next: zero-days since
Since Node/NPM JS landscape has exploded
On new framework: people flock to it until the next
Next: lifecycle of a framework & bloat
NExt: Struggle for relevance adds weight
Weight added gradually
Zoom in on Spring: context 1.0 : 158KB, version 5.X : 1.2MB
Next: experiment with deps
Next: hoarding & sustainability
Digital hoarding
Remember this one? What if someone unpublishes or breaks that tiny little thing at the bottom? Can you replace that?
Next: Security
Next: feature venn
Next LinkedIn-scouting
Next: Unexpected features
Next: malicious code injection (the other half)
Next: unfolding story of forked repo’s
-Password to databases
-API Keys
-OAUth keys
-Certificate keys
Good news - Github cleanup
Next: Loss of knowledge
Reasonable from BE?
FE depends on HTTP semantics
Left unchecked, it makes it harder and harder to understand errors from the underlying technology
Progress? Delegated growing food.
Next: External dependencies
Remember this one? What if someone unpublishes or breaks that tiny little thing at the bottom? Can you replace that?
Hard to get change done in frameworks, we depend on others.
Is it all bad then?
Stop using? No. B2C should not create HTTP servers etc. No more innovation if we do.
End of fear-mongering.
Noticed strong tendency to stick
Next: Since come to see them as tools
Switch! Especially with microservices. Rewrite in 2 weeks! Right?
Remember the upload service? Solution.
Next: curious
No black box. Learn.
Next: be critical (and then don’t be this guy)
Better to be the one seeing a problem coming than the one that includes malware that’s part of the next big hype thing
Next: so investigate, read docs, there’s usually some hints there
More reasons to use framework: Tom Cools & Ellien Callens, Leaving a Legacy.
One takeaway: The framework does not decide what you can build, you decide what framework to use. And your decision is allowed to change.
Thank you.