vulnerability in some programming framework - new PR

.gitpod.yml

@@ -0,0 +1,8 @@
+# This configuration file was automatically generated by Gitpod.
+# Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file)
+# and commit this file to your remote git repository to share the goodness with others.
+
+tasks:
+  - init: yarn install && make
+
+

content/articles/vulnerability-in-some-popular-programming-frameworks/index.md

@@ -0,0 +1,100 @@
+## VULNERABILITY IN SOME POPULAR PROGRAMMING FRAMEWORKS
+### Introduction
+Frameworks are tools in programming that are designed to serve as a structure for building efficient software. They help to speed up the development duration, save time and resources, simplify testing processes, and increase reliability.
+Thanks to programming frameworks, developers can go from the overwhelming tasks of writing codes from the ground up to utilizing these specialized tools that produce clean codes, make debugging easier, and provide more protected software. So, it is no surprise that frameworks are one of the many best friends of a developer. Unfortunately, with the infamous belief that frameworks would ultimately protect software, developers tend to ignore how vulnerabilities in frameworks can be exploited by bad people.
+In this article, we will highlight vulnerabilities in some popular programming frameworks, how poor knowledge of these vulnerabilities can expose the software, and the steps to take for more secure software.
+
+### TABLE OF CONTENT
+- [Introduction](#introduction)
+- [Prerequisites](#prerequisites)
+- [Key-takeaways](#key-takeaways)
+- [Vulnerabilities in some popular programming frameworks](#vulnerabilities-in-some-popular-programming-frameworks)
+- [Roles developers play in mitigating vulnerability in some programming frameworks](#roles-developers-play-in-mitigating-vulnerability-in-some-programming-frameworks)
+- [Factors to consider when selecting a framework](#factors-to-consider-when-selecting-a-framework)
+- [Conclusion](#conclusion)
+- [Further reading](#further-reading)
+
+### Prerequisites
+To comprehend this article better, the reader should have an understanding of the following:
+- Programming frameworks and how they work.
+
+### Key-takeaways
+By the end of this article, the reader is expected to acquire the following knowledge:
+- Understand how important the security of a framework is, in terms of mitigating its vulnerabilities.
+- Comprehend the common vulnerabilities in some popular programming frameworks.
+- Learn the best measures to take as a developer to ensure that these vulnerabilities are not exploited.
+- Have knowledge of the factors to consider when choosing a framework for a project.
+
+### Vulnerabilities in some popular programming frameworks
+With the popularity of frameworks, there has been an increase in the search for vulnerabilities by attackers, making some tech companies sceptical about adopting any framework. Vulnerabilities in any framework give an attacker the opportunity to gain control of the software to carry out malicious acts like stealing data or corrupting the system.
+
+When a cybercriminal is able to exploit the vulnerability of software, they can gain access to acquire or destroy important data on the system, disclose confidential information, and even prevent access to the system’s operations. Consequently, this malicious practice can shut down a business empire, an entire software application, or computer systems and servers connected to the affected software. These are just a few of the problems that attackers can cause. 
+
+To prevent these dire consequences and costly issues, securing the frameworks being utilized in software development must never be an afterthought or an option. It must be a priority. Therefore, it is paramount that we understand how the vulnerabilities in some popular programming frameworks can be exploited; to protect the systems better.
+
+##### Python’s Django
+Django is brilliant when it comes to securing the applications built on it. In its latest releases, the open-source Python framework has put in features to address the vulnerabilities. It comes with great user authentication and authorization system that aids in effectively defining and managing the users and permissions. The Queryset API works to prevent SQL injection, and then it also has templates to take care of cross-site scripting.
+Still, we can’t deny that Django is vulnerable to **SQL injection** and **cross-site scripting**. For one, the ability of developers to create raw SQL queries leaves room for injection attacks. Plus, the protection against XSS is not 100%, as a mistake from a developer can open the code up to an attacker.
+
+##### Node.js
+Node.js is a popular framework known for its speed, strong security features that protect data from exposure, and scaling capabilities that help to speed up development. Most functionalities in Node.js are found in modules, which are hosted on and controlled by the Node Package Manager (or NPM). This model allows a community of developers to contribute to it.
+These open-source developers have access to the NPM index files, which gives them permission to launch functions, code snippets, and security techniques into the files. As resourceful as this model is, giving different developer access also exposes Node.js to vulnerabilities such as **Cross-Site Scripting/XSS, data leaks,** and **SQL injection**, etc.
+
+##### Ruby on Rails
+Ruby on Rails is an open-source web framework that prioritizes security as well as speedy and simplified web development processes. It runs on Linux, is based on the model-view-controller (MVC) architecture, has strong security features, and makes use of a highly efficient tool known as gems, which gives developers various functionalities. Although it comes with efficient built-in security features such as the Active Record that is concerned with SQL Injection and the gems that add extra protection when utilized, it is still vital to use strict measures to ensure that the application is not vulnerable to exploits.
+When developers are creating their own queries to the database, it leaves the application vulnerable to **SQL Injection**. Sessions utilized in Rails are more secure than the usual cookie, but they are vulnerable to session hijacking in the form of **cross-site scripting** or **malware**. The gems are very functional, but attackers can exploit the vulnerability in the open source library.
+
+##### ASP.NET Core
+A brainchild of Microsoft, ASP.NET Core is an open-source framework that provides a highly efficient, cross-platform platform for developing web applications. Security is an integral part of this framework as it comes with features for managing data protection, SQL Injection, authentication and authorization, and HTTPS enforcement, amongst others.
+It is remarkable that ASP.NET Core was built with impressive security features, but despite this, there are still some vulnerabilities to be mindful of. They include **SQL Injection attacks, open redirect attacks,** and **Cross-Site Scripting (XSS) attacks**. But In all, ASP.NET Core is a pretty solid framework.
+
+##### Java Spring
+Java Spring is a stable and mature web framework that has in-built features that provide data protection, authentication, and authorization, amongst others, to address several security issues. This Java framework is very handy for developing enterprise web applications and other software.
+Even with the first-class security support provided by Java Spring, there are still some vulnerabilities that can be exploited in this framework. From **SQL Injection to recent discoveries of expertsexploitable vulnerabilities**, these issues highlight the importance of security in building applications, despite the framework's existing security parameters.
+As we may have observed, these popular programming frameworks are highly security-conscious. But along with their integrated features designed to mitigate the issue of vulnerabilities, developers still need to play their part in the security of the applications.
+
+### Roles developers play in mitigating vulnerabilities in some programming frameworks.
+Although security is a critical part of the software development cycle, most developers are not on board with the security strategies that are put in place. Interestingly, developers don’t need to be security expert to play a role in the security of the applications they are building.
+
+In addition, when developers get too comfortable with the mentality that the in-built security features of the frameworks will protect the applications, there is a risk of exposing the vulnerabilities of these frameworks to attackers by their actions or lack of them. With that said, let’s look at the security practices developers can adopt to upgrade the security of the software and mitigate vulnerabilities:
+
+- The best recommendation for any developer is to ensure that they are working on the latest version of the framework, released by the official platform. These frameworks have major releases to address security issues and other forms of vulnerabilities that may exist. So, updating to the latest version on your environment puts you in a safer position.
+
+-  Information leaks can occur through error messages during authentication, information retrieved from the database, or data in the configuration files, and this data can be exploited by hackers to do harm. So, as a developer, it is important that you avoid writing sensitive information in your **git commit,** your source code, and configuration files. A plus is to be extra careful where you copy queries and other codes, as this can be exploited to gain access to the application.
+
+- Do well to set up efficient HTTP security headers. This cannot be overemphasized, as hackers can gain access to your API and the authentication credentials. You can utilize the features present in the framework being used or get a tool that can up the security.
+
+- Set the DEBUG configuration to **False!** By default, it is set to **True,** and aids in generating well-detailed error pages, including metadata and traceback. But this can be a way for a hacker to gain access to the website.
+
+- SECRET KEY, as the name implies, should be kept a secret. You can achieve this by generating a new one and then encrypting it. This is important when using version control systems, as a simple Git commit can make this SECRET KEY visible to a potential hacker. The inbuilt Python’s secret module is usually utilized for this encryption.
+
+- In Node.js, a recommended way to mitigate cross-site scripting attacks is to validate the user input. You can make use of the in-built encoding tools like the **Jade Engine** or utilize other encoding methods to prevent any form of data breach. Modules like **mode-esapi** or **escape-html** can also be used to encode user data, by converting it to Unicode or HTML.
+
+- For Django users, it is easy to dismiss that the in-built Django admin app is a means through which an attacker can access the application being built. Hence, it is recommended that you change it from the default URL to another name.
+
+- Finally, you can use a secure security application to run checks on your site to test for any weaknesses or vulnerabilities.
+
+These frameworks come with powerful tools to protect the applications being built on them, but it is the responsibility of the developer to ensure that they play their part in securing the system.
+
+### Features to look out for when selecting a framework for a software development project
+There are several factors to consider when choosing a framework to use, such as the business strategy, the experience of the team, the needs of the end users, the security of the framework, and the available resources. But for the sake of this article, we would focus on the security and stability of the framework.
+
+The reputation of a framework can serve as a measure of how stable it is. Frameworks that have been around longer have fixed bugs, been updated and have improved their security to address vulnerabilities.
+
+As a developer or software development team, it is crucial that you go through the framework’s official platform, analyze other developers’ reports and reviews, and take into account the in-built security features to give an insight into the efficiency of the framework.
+
+Finally, it is important to put the security practices listed above into practice and still be abreast of recent efforts geared towards better secured applications.
+
+### Conclusion 
+There is a saying that no matter how functional and extraordinary a framework is, it is the developer and not the tool that makes the difference in security.
+
+So, I hope this article would be vital in showing developers how some of their actions have exposed the vulnerabilities of the framework they use and the security features that mitigate these dangerous vulnerabilities. Consequently, developers and companies alike would be more informed when making decisions on the programming framework to use in a software project.
+
+### Further Reading
+- [Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study](https://portswigger.net/daily-swig/vulnerabilities-in-web-and-app-frameworks-fall-but-weaponization-rate-jumps-study)
+- [What is a Framework in Programming & Why You Should Use One](https://www.netsolutions.com/insights/what-is-a-framework-in-programming/)
+- [Top Programming Languages and Frameworks List For Software Development for 2022](https://www.softermii.com/blog/top-programming-languages-and-frameworks-for-software-development)
+- [How Secure Are Popular Web Frameworks? Here Is a Comparison](https://www.veracode.com/blog/secure-development/how-secure-are-popular-web-frameworks-here-comparison)
+- [How to Prevent Cross-Site Scripting in Node.js](https://www.section.io/engineering-education/how-to-prevent-cross-site-scripting-in-node-js/)
+
+

content/authors/afube-angel/index.md

@@ -1,8 +1,13 @@
----
-title:  Afube Angel
-type: authors
+- - -
+title: Afube Angel
+type:authors
 linkedin: https://www.linkedin.com/in/angel-afube-7045b9176
 images:
-  - url: /engineering-education/authors/afube-angel/avatar.jpg 
----
-Afube Angel is an intelligent and creative freelance technical writer, front end developer and content creator. She is a graduate of Electrical/Electronic Engineering from the Federal University of Technology, Owerri. She is interested in cloud computing, artificial intelligence and digital marketing, and loves to travel and read about the world
+-url: /engineering-education/authors/afube-angel/avatar.jpg
+- - -
+
+Afube Angel is an intelligent and creative freelance technical writer, front end developer and content creator. She is a graduate of Electrical/Electronic Engineering from the Federal University of Technology, Owerri. She is interested in cloud computing, computer security, artificial intelligence and digital marketing, and loves to travel and read about the world
+
+
+
+