|
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero.
Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
|
|
|
|
|
Thank you! That's what I thought.
Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
When it came to the website that drives my team processes, we just went with Windows Auth. No login page and no user management on our part, and it's about as secure as you can get with minimal effort. HR takes care of the AD accounts and users can request security group membership on their own, and we approve/deny any requests to the groups the site uses.
All group memberships are looked at for what you can see/do. If you're not in any groups, you get read-only access to a limited portion of the site.
About the only thing we do as far as users is the site allows you to create a user profile where you get to set a bunch of defaults, like landing pages, default view tabs, email notification subscriptions, color theme, font size, and a bunch of other stuff.
|
|
|
|
|
Maybe it's time to look for another job?
|
|
|
|
|
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion!
Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Well, just send it to your boss, CC your dev team. Then keep a back-up. At least you have it for CYA purposes when things go south.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Dave Kreskowiak wrote: So he wants to use this gem?
SQL
SELECT * FROM Users WHERE UserName=@username AND Password=@password That's the most disturbing thing I have yet to encounter today. **shudders**
|
|
|
|
|
I think
var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}'
Is perhaps more shudder inducing.
Edit: aha, I see Richard beat me to that particular bit of nastiness.
|
|
|
|
|
Dave Kreskowiak wrote: So he wants to use this gem? Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Typically, this is something that would be used by someone storing passwords in plain text.
|
|
|
|
|
He'd probably reject that because he read the headline of an article on LinkedOut that said that parameters are evil and should be avoided at all costs!
string query = "SELECT * FROM Users WHERE UserName = '" + TextBox11.Text + "' AND Password = '" + TextBox42.Text + "'";
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
He sounds like a guy that just BSed his way into his position. There's a time and a place to reinvent the wheel, but security is not something to be taken lightly. I don't use ASP.NET these days, but common sense says Microsoft and their 200 billion dollar budget put more effort into the framework than some company with a director speaking like they're still in teenager land (OMGZ all things suckz except what I like).
If he can't articulate a good reason why, that the engineers can appreciate, then he's full of excrement. Besides, a good director should know he's out of touch with some tech and needs to listen to people in the trenches. So, maybe you could convince him if you present your case of why that's a bad idea. But still, my gut reaction says teenager in an adult's body.
As k5054 mentioned, there are compliance issues (which to be fair the framework may not even handle), testing issues (please don't tell this dude hates unit tests), and issues some may not even think about where a hacker can get your data. Again, I don't use ASP.NET these days, but I do know a hacker can easily bypass encrypted data with a tiny bit of injected script. So, all that encryption means squat if done.
Now, there are third party solutions that I wouldn't use for some very valid reasons. But, this isn't that scenario. Granted, I don't use ASP.NET these days so I'm talking out of my arse. But common sense is common sense. If he's so gung ho about it, he should be able to state why.
Jeremy Falcon
modified 12-Jul-24 21:39pm.
|
|
|
|
|
It's a little like upside down world because during the discussion, he said he thought that I wasn't backing up my arguments with any substance, "just theory."
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Assuming the meeting wasn't confrontational, then put together a report that articulates all the reasons why it's a bad idea. If he was a ever an engineer in a previous life and it's was a friendly thing he'll listen. If not, he was never an engineer.
Also, it sounds like your dev team is way too small to reinvent the wheel. I'd be surprised if the executives are ok with spinning that kinda money for no gain when there's only 2.5 devs.
Jeremy Falcon
|
|
|
|
|
Oh you're so right. Fortunately the higher ups are not going to go all in until we produce a demo program to show what we can do. This puts a serious crimp in our potential output.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Oh man, that's a nasty spot to be in.
|
|
|
|
|
Reinventing the wheel. Maybe a squarish / triangularish kind of wheel.
|
|
|
|
|
Make the wheel stationary, and the earth move under it.
|
|
|
|
|
I remember your post about this in the Web Development forum, titled Identity Management Recommendations[^]
I have great interest in this same topic. I'm currently working on an authentication and authorization system for my Chromosphere.com project.Richard Andrew x64 wrote: So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. Your dev team is made up of three people, right? What kind of deadline are you on? A dev team that small, regardless of any team member's skill and experience, will exhaust a huge amount of time and money developing this. In addition, it needs to be maintained and updated as security needs are always changing. Every day, you will need to seek out the most recent exploits and vulnerabilities, fix them, and test them. Does a 3 person dev team have the time and resources to do this? No way!
Richard Andrew x64 wrote: I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" He's right. If you create a hacker's playground, everything will go down. If all computer systems are perpetually down, then there won't be any bugs to exploit.
What's the percentage of downtime your systems have? Anything under 99.9% uptime is unacceptable. If your IT director doesn't realize this, he lives under a rock.
Richard Andrew x64 wrote: I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right? You are 100% right. Your IT director is absolutely wrong.
I'm not in your shoes, so I can't fully understand who and what you are dealing with here. If the leadership at the top insists on committing such a disastrous mistake, then it's clear that they don't understand this at all. If they won't listen to reason, that's their fault. Working under such leadership is the perfect reason to seek out a new job.
Richard Andrew x64 wrote: I don't intend to pull the eject cord on this job That just might be the answer. I've been in many situations like the one you're in. It's not that you should pull the plug. Tell your IT Director that you're putting in your two-week notice. Yes, I'm serious! I know that sounds extremely drastic, but I've done such things in many cases. It works, too. Call a drastic bluff, and they'll not only pay attention, but they'll accommodate you.
If you don't want to make such a bold move, that's fine. If leadership is able to reason, then explain the damage of making such a mistake in terms of monetary loss. Provide them with factual documentation from solid and reputable sources on why their idea could cause catastrophic monetary repercussions.
|
|
|
|
|
Reminds me of an old song; Roll another one just like the other one...
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Just convince him (or better, make HIM convince you and others) that you have an external pen-test on the result done. If the result is fine, all is ok. Otherwise, some change requests are to be opened.
|
|
|
|
|
You are definitely right, your IT director has no idea what he is talking about. I would be interested though in how secure (or what you are securing), this could reflect the level of security required.
Your best bet is to explain how vulnerable not having good security will potentially make your data. Point out (as others have mentioned) how expensive it will be to implement your own security framework. Also, be aware that when this goes t**ts up, the person they're going to point the finger at is you, NOT the IT Director as you are the implementor, so be aware.
It is work noting that correct implementation of security in existing frameworks is NOT theory and someone with the title of IT Director should know this. Now you could take a couple of directions:
1. Tell them if this is really what is required, then please accept my resignation.
2. Ask the IT Director how he proposes to implement such a security system. Explain how you would value his experience in creating/maintaining such systems in the past. If/when he says it's not his place to write code but yours, then explain that what he is suggesting is also theoretical and that you will be using a framework to implement the security safely as he has expressed (and clarified) it's you that writes the code, not him.
That might help.
|
|
|
|
|
Gather metrics to eliminate the "my opinion vs. your opinion" thing.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
I'll chime in -- your director is clueless. Based upon your comments, my guess is that he wants to be able to take credit for "leading the project" when applying for his next job after he FUBAR's this one.
Provide him with 2 estimates:
1. # hours required to implement the ASP.NET Core framework.
2. # hours required to implement a home-grown solution.
If estimate #2 is not at least 100 times the size of estimate #1, I'll be surprised. Never argue with idiots -- beat them about the head-and-shoulders with facts.
|
|
|
|
|