undefined | Better HN

0 pointsgiardini4y ago0 comments

raesene9:5 says >"Having classic ASP pages hosted on a production system in 2021 seems like a pretty strong indication of a lack of codebase maintenance and auditing."<

AFAIK classic ASP pages can be as secure as those in any other framework. The vulnerabilities (most commonly SQL injection) are known and are addressable.

I know it chafes at some (Microsoft marketers esp.?) that ASP pages are still around. But classic ASP is yet another example of that old adage "If it ain't broke, don't fix it!"

I watched one organization assign an entire division of programmers to develop a moderately-sized ASP.NET application: they went through orientation and training in ASP.NET and then planned, designed, coded and rolled out ...nothing! After two years there was literally nothing!

A perceptive manager in another division approached his sole ASP developer and asked if she could write some ASP code to "demo" that same project. She looked at the specifications and then quietly wrote an entire system!

Weeks later, when the department heads saw her "demo", they thought the ASP.NET developers had completed it. Imagine their surprise to find that what they were looking at was done, not by the ASP.NET group funded millions of dollars but by someone in another division: a single focused classic ASP developer quietly working downstairs.

Nonetheless IIRC ASP pages reach end-of-life support by Microsoft in 2025 so it might make sense to migrate. But b/c classic ASP was written in a manner consistent with early web standards (CGI/APACHE) migration of classic ASP to one of the various classic ASP-like frameworks in PHP, Perl, Ruby et al would likely be easier, faster and cheaper. Migration would be mostly translation and much, if not all, could be automated.

In contrast, moving classic ASP to ASP.NET would be more fraught with problems. The underlying models of the WWW are inconsistent.

0 comments

13 comments · 3 top-level

Shacklz4y ago· 7 in thread

> and then wrote an entire system!

Yes yes. And this was of course very maintainable, up to todays standards, easy to onboard new hires in, not falling apart in edge cases that weren't part of the demo, code that was audited by multiple developers, it didn't make any shortcuts in terms of security, etc. etc. etc.

That some business guys are amazed by the "lone wolf dev skills" might be explainable, but on HN we should know better. Yes, there are devs that get a ton done irrelevant of framework, but "getting things done" (in terms of business requirements) is only part of the story.

mcguire4y ago

Once upon a time, there was an application that needed to be replaced. (Apache mod_perl 1!?) My employer put a team together to do it, a team that was very concerned that it be "very maintainable, up to todays standards, easy to onboard new hires in", etc. Unfortunately, they apparently failed to include "working" in there. As the project schedule began to slip, they added more people to the team.

Eventually, after many months and at least a couple million dollars, I and three other people got dragged in: another developer (no one lets me do UI code), a good project manager to coordinate with users and management, and a developer/tech lead/manager who had two unique abilities: good at cutting Gordian knots, and having enough political capital to say "no" to people (most people around couldn't say "no" to save their life; I can and do, but nobody listens to me). The latter promptly booted the previous team off the project.

Within four months, we had the new app up and running and in production. I'm told that it has one of the best issue track records in our area, including never having had a sev 1 outage. On the other hand, I have heard some of its current maintainers complain about it not being "up to todays standards" because we deliberately kept it simple rather than adopting a bunch of complexity for resume-padding reasons.

reaperducer4y ago

That some business guys are amazed by the "lone wolf dev skills" might be explainable, but on HN we should know better.

I'm less cynical than you are about the parent comment, largely because I'm watching the same scenario unfold within my own company.

We're on year two of the million-dollar team turning out nothing. I'm in a different department, but my position means I liaise with lots of different people throughout the organization, so I also know that a single dev in a third department is half-way through solving the problem because a ultra-high-level manager doesn't want to wait anymore and will use it as an excuse to can the other team and that department's director.

And this was of course very maintainable, up to todays standards, easy to onboard new hires in, not falling apart in edge cases that weren't part of the demo, code that was audited by multiple developers, it didn't make any shortcuts in terms of security, etc. etc. etc.

Unless you've seen the person's codebase, it's uncharitable for you to assume that it's deficient, perhaps based on your own experiences.

If this scenario can happen in two companies, it might be more common that any of us realize.

codebolt4y ago

Indeed, I'm personally half of a two-dev team maintaining and developing a system that I'd say falls deep into this category. Our giant legacy codebase has a few warts, but on the whole it follows a few simple design patterns that, once you understand them, makes it very easy to find your way around and change/extend. We also have an extensive domain understanding and direct contact with our user base, so we design, implement, review/test and deploy features very fast compared to any other team I've encountered in the organization. And though the underlying technology is mostly ancient, our product is growing strongly and consistently outcompeting systems with budgets of a different stratosphere in the open market.

mcguire4y ago

Three.

giardiniOP4y ago

There was user & supervisor security (code that she had developed for another system). It included backup of code and databases.

What was shown wasn't a demo - it was a full implementation. It was rolled into production weeks after the first showing and AFAIK is still in use 20 years later.

What is there other than "getting things done" (that is, other than bitching about it)?

Shacklz4y ago

Hey look, I'm not saying that it's not possible. I even believe you - in a lot of big companies, there are so many "bloat"-teams that don't really do all that much, that just drift around in the currents that flow when cash is abundant and will get shafted the moment the company has to tighten its belt (or goes belly-up altogether, if the company is incapable of identifying its inefficiencies).

That being said, we should really take these anecdotes with the appropriate grain of salt. After all, we're here in a thread about countless companies being threatened by security flaws. A dev that "gets things done" (from a business point of view) might actually do that, but do they also think about all those other requirements that business themselves can neither validate nor appreciate if measured by short-term KPIs?

I'm not saying that's happening, but I've seen too many "Why are you spending weeks on this, I can do this in half a day!"-kind-of-devs, that then hack something together that technically works as the requirements demanded, but completely falls flat under any aspects of maintainability and extensibility, let alone security.

astrange4y ago

> That some business guys are amazed by the "lone wolf dev skills" might be explainable, but on HN we should know better. Yes, there are devs that get a ton done irrelevant of framework, but "getting things done" (in terms of business requirements) is only part of the story.

No, you shouldn't be surprised about this, it's natural that smaller dev teams are actually faster. This is Mythical Man-Month.

raesene94y ago· 2 in thread

The thing about Classic ASP is that it has no in-built protections and the individual developer has to code all defence, which is not great.

Also, how many classic ASP developers are there now , to add new protections for new issues...

And if you look at the linked thread, it doesn't seem like they've done a great job of maintenance...

giardiniOP4y ago

raesene9 says >"The thing about Classic ASP is that it has no in-built protections and the individual developer has to code all defence,,,"<

Yes, it is just like PHP or Perl or Ruby with the CGI specification.

raesene9 says >" how many classic ASP developers are there now ..."<

Good question! But IMO a web developer could learn classic ASP in a single day!8-))

raesene9 says >"the individual developer has to code all defence,<

Yes, just like PHP or Perl or Python.

raesene94y ago

Sure so they learn classic ASP in a day, now they have to code their own custom routines for XSS protection, SQLi Protection, SSRF protection etc etc etc

or.... they could move the application to a supported platform with a wider developer base and in-built protections against common web application security attacks.

There is a reason why most web app developers do not hand code their entire stacks. For example why ruby web developers use rails. Web app. sec. is a a relatively complex field to get right, full of edge cases. Having each and every web app development team take the time to understand all those cases and edges probably isn't the best use of scarce developer resources.

orf4y ago· 1 in thread

I can build a Twitter clone in a couple of hours. I’ll email my demo to the CEO and tell him he’s wasting millions of dollars on his engineering division.

giardiniOP4y ago

Please do!

But the best way to do this is (and the way consistent with this thread's narrative) is to to develop the final system before you tell the CEO. Oh, and best to have a supervisor for you who does the telling.

j / k navigate · click thread line to collapse

0 comments

13 comments · 3 top-level

Shacklz4y ago· 7 in thread

> and then wrote an entire system!

mcguire4y ago

reaperducer4y ago

That some business guys are amazed by the "lone wolf dev skills" might be explainable, but on HN we should know better.

I'm less cynical than you are about the parent comment, largely because I'm watching the same scenario unfold within my own company.

Unless you've seen the person's codebase, it's uncharitable for you to assume that it's deficient, perhaps based on your own experiences.

If this scenario can happen in two companies, it might be more common that any of us realize.

codebolt4y ago

mcguire4y ago

Three.

giardiniOP4y ago

There was user & supervisor security (code that she had developed for another system). It included backup of code and databases.

What was shown wasn't a demo - it was a full implementation. It was rolled into production weeks after the first showing and AFAIK is still in use 20 years later.

What is there other than "getting things done" (that is, other than bitching about it)?

Shacklz4y ago

astrange4y ago

No, you shouldn't be surprised about this, it's natural that smaller dev teams are actually faster. This is Mythical Man-Month.

raesene94y ago· 2 in thread

The thing about Classic ASP is that it has no in-built protections and the individual developer has to code all defence, which is not great.

Also, how many classic ASP developers are there now , to add new protections for new issues...

And if you look at the linked thread, it doesn't seem like they've done a great job of maintenance...

giardiniOP4y ago

raesene9 says >"The thing about Classic ASP is that it has no in-built protections and the individual developer has to code all defence,,,"<

Yes, it is just like PHP or Perl or Ruby with the CGI specification.

raesene9 says >" how many classic ASP developers are there now ..."<

Good question! But IMO a web developer could learn classic ASP in a single day!8-))

raesene9 says >"the individual developer has to code all defence,<

Yes, just like PHP or Perl or Python.

raesene94y ago

Sure so they learn classic ASP in a day, now they have to code their own custom routines for XSS protection, SQLi Protection, SSRF protection etc etc etc

or.... they could move the application to a supported platform with a wider developer base and in-built protections against common web application security attacks.

orf4y ago· 1 in thread

I can build a Twitter clone in a couple of hours. I’ll email my demo to the CEO and tell him he’s wasting millions of dollars on his engineering division.

giardiniOP4y ago

Please do!

j / k navigate · click thread line to collapse