Being an efficient developer often means abstracting functionality such that a single function can be applied to a variety of uses across an application. Even as this decreases risk of errors, time to develop, and the attack surface necessary to secure the application it also makes implementing security more difficult.

Over the holidays I had the opportunity to do some coding on my latest web application project. I won’t bore you with the details of what it is because it’s to support a hobby of Don and mine except to say that it’s running on a LAMP stack and heavily data-driven. But then what isn’t data-driven on the web these days?

Now I’m an old skool OO (Object Oriented) programmer and a typical developer. That is to say that I’m basically lazy and hate to code and recode the same thing over and over so I employ every trick I can to avoid doing so. That means abstraction and taking advantage of some of the more flexible capabilities of loosely-typed scripting languages like PHP. Reuse is my best friend, and I’ll take a little extra time to write a single method if I think I can reuse it across the entire application and thus save a lot of extra time. I also rely heavily on AJAX (the PHP XAJAX framework to be exact) to provide a more interactive application for our users.

I was debugging one of those reusable functions that’s called often via AJAX when it occurred to me how difficult it was to secure such a beast for several reasons but primarily because securing this single function would basically negate all the gains in productivity and efficiency I’d gained by implementing it in the first place.