Every now and then (and recently on another post) some argue that "frameworks" aren't needed. I'm not arguing that all frameworks are good, or bad. I would argue that if one gets an app from github using a "framework", then you assume certain things about the app, based on the underlying framework. Now, can this/these implied assumptions be correct? I'm not sure, as I don't know if any framework has a "testsuite" that one can run to ensure the app is actually using the underlying framework. So the app could have serious holes in it. The same can be said for a php app that's home grown. Who really knows what you're getting. Unless the app is from a "solid" operation (msft/goog/meta/etc..) who knows what you'd really be getting underneath the covers. So.. what's a small dev to do! In a reasonable dev env, you'd have the dev process, as well as test (considerable), both during dev, as well as pre production. You'd have security tests running through a bunch of scenarios including all kinds of external situations/inputs, edge cases, etc.. feel free to comment (reasonable/no screaming!!) thanks