Saturday 25 May 2013

Days of Domain-Driven Security

Dear Junior

It has been a truly interesting and challenging DDD Summit, where I have had the chance to present the subject of Domain-Driven Security and discuss it with several of the world's most prominent Domain-Driven Design experts.

There seems to be a general agreement that the way John Wilander, Erland Oftedal and I phrased the subject rings well with the insights of those experts, and that they agree on the means of using doman modelling and context mapping as tools to understand indata validation and vulnerability attacks as Cross-Site Scripting and the various forms of Injection.

I had the honor of being interviewed by Daniel Gackle on Domain-Driven Security as part of a series of DDD videos that Vladimir Gitlevich is producing, and I will surely let you know when it is online.

Daniel amongst others has also given me excellent feedback on my assorted ideas about Domain-Driven Security to give it some structure that is more easily accessible for someone that has not been deeply involved from the start. Hopefully there are some articles or other pieces of writing on their way. Not promising to much, but I will let you know.

You know well that one of my favorite phrases is "nothing is just a String" pointing out that a phone-number is more than any random string, that the same goes for a person's name, for an order number etc. This basically provides the case for typed value objects, typically with validation wrapped in the constructor.

John Wilander has brought this one step further. If it is questionable to ever have just a String, then should not String be an abstract class? Besides making an excellent point in a very well written blogpost, he also provides an example of injection besides the usual SQL Injection which often is easily dismissed as "a solved problem, use prepared statements". I really recommend reading his posting.

It seems to me like this particular week, Domain-Driven Security as a field is experiencing an unusual high level of activity.



Ps. John Wilander recently defended his PhD thesis on software security. Whereas the full text is of course pretty long, he also included a "popular brief" in Swedish which in a few pages summarises his work. Well worth reading, and a good example I think more researchers should follow.