|
I bet they're thinking to themselves, "I scream ice cream but nobody hears me."
Jeremy Falcon
|
|
|
|
|
I'm reminded of a song lyric.
James McMurtry: Gray squirrel running down the telephone wire
Kids around the poolside screaming like cats on fire
Cats on fire chasing after the ice cream van
But that circus music's got to be hell on the ice
cream man
He clips his roach and he hauls his load
Taking his half out of the middle of the road
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework.
I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!"
I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Was there any explanation given at all why existing functionality should not be used?
|
|
|
|
|
Nothing coherent. Just a wave of the hand and being told that I was "only giving theory," as a reason to disregard what I was saying.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Is he planning a red-team attack, to make sure it works?
|
|
|
|
|
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Mike Hankey wrote:
If it ain't broke don't fix it!
I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done!
CQ de W5ALT
Walt Fair, Jr.PhD P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
I hear ya!
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
If it ain't broke, fix it 'til it is.
|
|
|
|
|
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Forget security holes, what about security compliance and/or 3rd party audits? Depending on your client requirements, the effort needed to confirm compliance may make roll-your-own security a non-starter. For example, you may need to provide an auditing body a copy of your code, and re-submit for every code change that's made, at whatever that cost is to you (or your client) may be prohibitive. Particularly if the auditing body is slow, and you need to get changes out quickly.
For security issues, I'd always want to go with a tried-and-true solution, rather than trying to roll my own. I'm not going to try to write my own SSL or AES implementation when there's off the shelf packages that do that. I can have reasonable expectations that 1) they're relative bug free, 2) any bugs or exploits will be addressed in a timely manner and 3) they have an established base of users that give feedback on 1 and 2.
Additionally, with roll-your-own, you'll have to dedicate some resources to maintain that portion of your product, which may include maintaining compliance with changing standards. Is your development department deep enough to handle that?
"A little song, a little dance, a little seltzer down your pants"
Chuckles the clown
|
|
|
|
|
This is a great explanation of other reasons to go with the framework!
Our development team consists of me, one other guy and a summer intern. I think we're in trouble.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
May the force be with you, buddy.
Jeremy Falcon
|
|
|
|
|
Roll your own by layering it atop the other?
|
|
|
|
|
No, not atop the framework. Completely disregarding the framework.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Yes, but I mean, layer it atop and say you rolled your own.
|
|
|
|
|
I don't follow your clarification.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
|
|
|
|
|
Like the vegan donut place that was selling donuts from another store.
|
|
|
|
|
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero.
Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
|
|
|
|
|
Thank you! That's what I thought.
Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
When it came to the website that drives my team processes, we just went with Windows Auth. No login page and no user management on our part, and it's about as secure as you can get with minimal effort. HR takes care of the AD accounts and users can request security group membership on their own, and we approve/deny any requests to the groups the site uses.
All group memberships are looked at for what you can see/do. If you're not in any groups, you get read-only access to a limited portion of the site.
About the only thing we do as far as users is the site allows you to create a user profile where you get to set a bunch of defaults, like landing pages, default view tabs, email notification subscriptions, color theme, font size, and a bunch of other stuff.
|
|
|
|
|
Maybe it's time to look for another job?
|
|
|
|
|
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion!
Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|