One of the questions you should ask your software vendor is if they are using a framework. This is particularly important if you are having you website or web application developed in PHP. PHP allows for quick development without frameworks but this is typically bad practices. If you are working with a software vendor, one of the questions you should ask is if they are using a framework, if they are not, you should probably seek another vendor.
What could go wrong without a framework?
We were brought into a project to assist with some user interface development and features. To our dismay we found that the overall application had been built without a framework, and without great concern for security. Two of the issues we found was that the code was difficult to follow because there was no real standard, it was developed as best seen fit by the developer. With an open source framework you get the best developers from all around the world ensuring good standards.
The second issue was that of missing security. In PHP you want to ensure people cannot hack your database, something called SQL Injection. One of the ways to prevent SQL injection is to use something called prepared statements. These were not being used, something a framework would typically enforce. SQL Injection is one such possible attack or "attack vector", for a great resource visit OWASP Top 10 to start.
A web framework like Laravel or Symfony provides guidance
Let's face it, not every vendor out there hires the best developers. Web frameworks help even mediocre developers develop applications with some security and some good practices because of the necessity to follow the frameworks guidelines and rules. With a framework you have to play by their rules. It also allows great developers to move quickly and provide a large range of functionality quickly and reliably.
A web framework provides common components
Modern web frameworks provide large feature sets that are typically open source, community vetted, and flexible. Symfony provides packages for users, security, forums, email, login etc. Think of Symfony components like you would Wordpress plugins, they are pre-built components that speed up development and provide good code quality.
What should you do if you find they are not using a framework?
I would argue that they re-write the project. Alternatively you could have a 3rd party like Rapineda audit the code and advise accordingly. Normally it would be a terrible waste to have to do re-work by rewriting the code in a framework. If you are early enough in development there could be a good case for it. Additionally if they have taken appropriate security precautions you may be able to get away without a rewrite. However ultimately without a framework you are missing a lot of the benefits of modern application development.
Alex Pineda - Written March 25, 2015