|
If it ain't broke, fix it 'til it is.
|
|
|
|
|
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Forget security holes, what about security compliance and/or 3rd party audits? Depending on your client requirements, the effort needed to confirm compliance may make roll-your-own security a non-starter. For example, you may need to provide an auditing body a copy of your code, and re-submit for every code change that's made, at whatever that cost is to you (or your client) may be prohibitive. Particularly if the auditing body is slow, and you need to get changes out quickly.
For security issues, I'd always want to go with a tried-and-true solution, rather than trying to roll my own. I'm not going to try to write my own SSL or AES implementation when there's off the shelf packages that do that. I can have reasonable expectations that 1) they're relative bug free, 2) any bugs or exploits will be addressed in a timely manner and 3) they have an established base of users that give feedback on 1 and 2.
Additionally, with roll-your-own, you'll have to dedicate some resources to maintain that portion of your product, which may include maintaining compliance with changing standards. Is your development department deep enough to handle that?
"A little song, a little dance, a little seltzer down your pants"
Chuckles the clown
|
|
|
|
|
This is a great explanation of other reasons to go with the framework!
Our development team consists of me, one other guy and a summer intern. I think we're in trouble.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
May the force be with you, buddy.
Jeremy Falcon
|
|
|
|
|
Roll your own by layering it atop the other?
|
|
|
|
|
No, not atop the framework. Completely disregarding the framework.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Yes, but I mean, layer it atop and say you rolled your own.
|
|
|
|
|
I don't follow your clarification.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
|
|
|
|
|
Like the vegan donut place that was selling donuts from another store.
|
|
|
|
|
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero.
Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
|
|
|
|
|
Thank you! That's what I thought.
Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
When it came to the website that drives my team processes, we just went with Windows Auth. No login page and no user management on our part, and it's about as secure as you can get with minimal effort. HR takes care of the AD accounts and users can request security group membership on their own, and we approve/deny any requests to the groups the site uses.
All group memberships are looked at for what you can see/do. If you're not in any groups, you get read-only access to a limited portion of the site.
About the only thing we do as far as users is the site allows you to create a user profile where you get to set a bunch of defaults, like landing pages, default view tabs, email notification subscriptions, color theme, font size, and a bunch of other stuff.
|
|
|
|
|
Maybe it's time to look for another job?
|
|
|
|
|
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion!
Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Well, just send it to your boss, CC your dev team. Then keep a back-up. At least you have it for CYA purposes when things go south.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Dave Kreskowiak wrote: So he wants to use this gem?
SQL
SELECT * FROM Users WHERE UserName=@username AND Password=@password That's the most disturbing thing I have yet to encounter today. **shudders**
|
|
|
|
|
I think
var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}'
Is perhaps more shudder inducing.
Edit: aha, I see Richard beat me to that particular bit of nastiness.
|
|
|
|
|
Dave Kreskowiak wrote: So he wants to use this gem? Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Typically, this is something that would be used by someone storing passwords in plain text.
|
|
|
|
|
He'd probably reject that because he read the headline of an article on LinkedOut that said that parameters are evil and should be avoided at all costs!
string query = "SELECT * FROM Users WHERE UserName = '" + TextBox11.Text + "' AND Password = '" + TextBox42.Text + "'";
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
He sounds like a guy that just BSed his way into his position. There's a time and a place to reinvent the wheel, but security is not something to be taken lightly. I don't use ASP.NET these days, but common sense says Microsoft and their 200 billion dollar budget put more effort into the framework than some company with a director speaking like they're still in teenager land (OMGZ all things suckz except what I like).
If he can't articulate a good reason why, that the engineers can appreciate, then he's full of excrement. Besides, a good director should know he's out of touch with some tech and needs to listen to people in the trenches. So, maybe you could convince him if you present your case of why that's a bad idea. But still, my gut reaction says teenager in an adult's body.
As k5054 mentioned, there are compliance issues (which to be fair the framework may not even handle), testing issues (please don't tell this dude hates unit tests), and issues some may not even think about where a hacker can get your data. Again, I don't use ASP.NET these days, but I do know a hacker can easily bypass encrypted data with a tiny bit of injected script. So, all that encryption means squat if done.
Now, there are third party solutions that I wouldn't use for some very valid reasons. But, this isn't that scenario. Granted, I don't use ASP.NET these days so I'm talking out of my arse. But common sense is common sense. If he's so gung ho about it, he should be able to state why.
Jeremy Falcon
modified 12-Jul-24 21:39pm.
|
|
|
|
|
It's a little like upside down world because during the discussion, he said he thought that I wasn't backing up my arguments with any substance, "just theory."
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|