|
Of course there are horror stories when a badly written/configured/deployed update can kill a website. This is no different from an Android updated application applied to your Android smartphone that subsequently causes problems, but not problems to all smartphones. Equally, you can have different results using Microsoft's offerings from the Windows Operating Systems and so on on different machines, some of same or similar hardware from something that works well to something that makes the computer wholly unusable.
As you know, you have to be defensive before you deploy, alas, many non-professionals (and no doubt some professionals as well) just either don't know/understand or for the many reasons that we all should know of, can't be bothered, let alone the commercial pressures to get the latest and greatest thing "up there yesterday if not before".
The .net framework, written by Microsoft, was a major undertaking that must have cost millions of man-hours and millions of dollars. PHP, for example, does not expect to match Microsoft offerings, it hasn't that corporate structure let alone the finance to do better than it has done on shoestring budgets and, over a period of time, community volunteers.
There are many dangers. An organisation could be severely hurt if their e-commerce offerings suddenly died or becomes problematic if an update fails in some way.
GuyThiebaut wrote: about being cautious about using free third party software
If you look at the repositories of, for example - Drupal or WordPress - you can see quantities as downloaded as well as its star rating as well as if it is still being developed and the reviews. There is some degree of trust that can be placed in many plugins/modules, but a risks always remains...
modified 1-Aug-19 21:02pm.
|
|
|
|
|
Thanks Richard.
Your replies are very helpful and give me some perspective on my concerns
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Don't know if the Microsoft NuGet repository checks and tests plugins/modules before NuGet will include them. WordPress, Drupal, Prestashop and others do not permit plugins/modules/Themes/etc into their repository without testing them. But that doesn't say what testing and how much testing was done.
In terms of security, you can always take the time, if you got the time, to look at the source code of plugins/modules to ascertain how they deal with data before it hits the database, or issues surrounding XSS and other nasties. But the twin enemies of time and money may forbid you from doing much more than a cursory glance.
modified 1-Aug-19 21:02pm.
|
|
|
|
|
A well designed site will not break-down with one or more plugin not loaded - it only will malfunction in some parts, and even there not completely...
For instance - if you use a input box extension to control the input formatting, you will lose only that, but the user still will be able input values...
So, even it is true that there is some risk in calling in plugins, that risk can be calculated and minimized by choosing those plugins carefully...
My main points for that are:
1. The plugin must be tested and reasonably matured...
2. I never use a plugin with tens of features to solve a single problem (in it case I may write it for myself or compile only the relevant parts of the plugin from the source)
The reason to pick a plugin is to shorten the development time...We all have problems (in 99.99% of the cases) that has one or more solutions somewhere...and you can use it as an idea, a copy-paste code or as plugin/library...
I do agree with you, that writing all your code is the best way to stay in control, but think of it...you use the built-in .NET classes with no hesitation...Why? Do you believe, those are better written/tested...Why?
So in my opinion using plugins is not different from using and other (built-in/open or closed source/payed or free) library/plugin/class/feature/function/method - you have to test and pick carefully...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
And this one is for you:
http://www.commitstrip.com/en/[^]
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
Hello,
I am wondering if following methods in my script are vulnerable for DOM XSS attack? If yes, what is the best practice to write them. Kindly help if you can guide about it.
1. document.createElement()
2. document.getElementsByTagName()
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
Thank you for your time.
Best Regards,
Supriya
|
|
|
|
|
How to fake or declare a kendo controls in jasmine test. I can spyon the mothod that has the code but now i want to test logic in javascript
javascript/Angularjs
var grid = $("#Grid").data("kendoGrid");
var multiselect= $('#multiselect').data('kendoDropDownList').value();
the errors I get is Cannot read property 'dataItems' of undefined and Cannot read property 'dataItems' of null respectively
MVC
My controls is as follows @(Html.Kendo() .MultiSelectFor(m => m.id) .Name("Test")) in the View
Thanks in advance
Phetole
|
|
|
|
|
I have developed a website by css and html, would you mind anybody to check my site and give me a good suggestion? my site is http:
|
|
|
|
|
|
It needs a lot of work. The UI looks pretty weak. I'd suggest studying CSS design techniques and looking at other sites.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Dear Experts ,
I have developed a web application using asp.net C#.I want retrieve lots of images from database
and show on Datalist control.I tried but it shows only cross mark instead of actual image.
please help me .
|
|
|
|
|
|
Hi. I have created an ASP.NET MVC 4 application and I published it on a ftp server. When I access the link, it shows me the files that are in the folder, not the index page, so I think something is missing from there. Can anybody tell me if I have to do something else after publishing the project? I just created a project and I uploaded to the server to see if it works.
|
|
|
|
|
|
Sorry for repost, I thought I have chosen the wrong category.
|
|
|
|
|
|
Go to ParentThank you for your reply. I have found the problem.
The problem was caused by the web server, because it didn't accept ASP.NET version for my project. So I have to choose another provider.
Sorry for repost, I thought I have chosen the wrong category.
|
|
|
|
|
i am presently working on a web application using php, but i dont know how to limit the number of users connected to the system via a router. Please is there a way to go by this? Any answer would be appreciated.. thank you
|
|
|
|
|
where you deployed your web application? it it web server or development pc? how you plan to limit the users? ( web server or from network router?)
|
|
|
|
|
I am using a web server (Wamp).
|
|
|
|
|
How to define +91 as default value on TextBox in simple html, and what the good way when we have to save in database
|
|
|
|
|
can you explain a bit more? Do you want to prefix +91 country code with your textbox value here?
modified 20-Sep-20 21:01pm.
|
|
|
|
|
Please do not crosspost.
Just put value="+91" on the textbox and that will default it.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Hi,
Scenario: Windows forms application is the client talking to a WCF service exchanging sensitive data in both directions
1. Transport Security
• SSL using server certificate with Anonymous client authentication - is encryption of message optional?
o What ensures that the message is definitely encrypted?
o Symmetric key is negotiated for message encryption, but what controls the strength of this key 128-bit / 256-bit etc.?
• If an additional layer of custom encryption/decryption logic is implemented along with SSL, specifically for message security, are there any drawbacks?
2. Message Security
• When message security is enabled over HTTP (no SSL) and a server certificate is provided in the configurations, how is the message encrypted/decrypted - with what key and how is the key exchanged?
• When message security is enabled over HTTPS (with SSL certificate) is the encryption/decryption happening twice?
o Is it possible to configure an Anonymous client (no client certificate/authentication) in this scenario?
o Is it possible to configure different certificates for SSL negotiation and for message encryption/decryption?
o What key used for message encryption - same as SSL negotiated key or new key based on the provided certificate?
3. SSL Server Certificate Validation by client
• By default, client validates the certificate during initial handshake - what all information of the certificate, exactly are validated and what are not validated? This validation is done by whom – .NET framework on the client or the OS itself?
o How different is this validation, from X509Certificate2.Verify() method call on the certificate, if done explicitly?
• In client code, if the callback to ServicePointManager.ServerCertificateValidationCallback delegate is registered, does this method get called before or after the automatic validation of server certificate?
Thanks in advance for your help.
|
|
|
|
|