Sunday, March 1, 2009

Ah-ha! I knew I never liked that feature

Part of the new job is re-familiarizing myself with ASP.NET development. I've done this before, obviously, notably at my last job writing web services. But it's been a few years since I've done web pages. So I'm reading Dino Esposito's book "Programming Microsoft ASP.NET 3.5". It's a thorough book; or at least it is so far - I'm only into chapter 2. But what I find I just had in chapter 2.

One of the things the developers at my last shop used to "debate" was whether to develop web applications and do development testing against IIS or the embedded local web server available to Visual Studio 2008. I was always an advocate for developing so the various web services I needed would be available via my box's IIS - I liked the fact I could have a web service available to me without having to included it in my solution. Other developers liked the fact they didn't have to maintain their IIS setup. Once we discovered a project can be set up to allow the developer to work as they prefer we stopped having these "discussions" (because updating the project file from source control no longer messed you up).

But I just read the definitive reason why I would advise people to not use the embedded web server. When your code runs using that server it assumes the level of credentials of the windows account you're signed in as. For far too many of us that means our web code would be running as administrator on the box. This rocks for us as developers because we don't have to worry about all those pesky security issues we would otherwise encounter.

But we're really just kicking that can down the road. For me it comes down to addressing those security issues sooner rather than later. Because it's not like those security concerns aren't going to be raised when the code is put on the test server, or production, and by then it's more expensive to fix (not to mention embarrassing).

So I say:
Embedded web server -baaaaddddd

I hope you do, too.