Roll your own...
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
I remember your post about this in the Web Development forum, titled Identity Management Recommendations[^] I have great interest in this same topic. I'm currently working on an authentication and authorization system for my Chromosphere.com project.
Richard Andrew x64 wrote:
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework.
Your dev team is made up of three people, right? What kind of deadline are you on? A dev team that small, regardless of any team member's skill and experience, will exhaust a huge amount of time and money developing this. In addition, it needs to be maintained and updated as security needs are always changing. Every day, you will need to seek out the most recent exploits and vulnerabilities, fix them, and test them. Does a 3 person dev team have the time and resources to do this? No way!
Richard Andrew x64 wrote:
I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!"
He's right. If you create a hacker's playground, everything will go down. If all computer systems are perpetually down, then there won't be any bugs to exploit. What's the percentage of downtime your systems have? Anything under 99.9% uptime is unacceptable. If your IT director doesn't realize this, he lives under a rock.
Richard Andrew x64 wrote:
I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
You are 100% right. Your IT director is absolutely wrong. I'm not in your shoes, so I can't fully understand who and what you are dealing with here. If the leadership at the top insists on committing such a disastrous mistake, then it's clear that they don't understand this at all. If they won't listen to reason, that's their fault. Working under such leadership is the perfect reason to seek out a new job.
Richard Andrew x64 wrote:
I don't intend to pull the eject cord on this job
That just might be the answer
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Reminds me of an old song; Roll another one just like the other one...
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
Dave Kreskowiak wrote:
So he wants to use this gem?
Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away... ...the impossible takes slightly longer.
-
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
Mike Hankey wrote: If it ain't broke don't fix it! I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done! CQ de W5ALT
Walt Fair, Jr.PhD P. E. Comport Computing Specializing in Technical Engineering Software
-
Mike Hankey wrote: If it ain't broke don't fix it! I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done! CQ de W5ALT
Walt Fair, Jr.PhD P. E. Comport Computing Specializing in Technical Engineering Software
I hear ya!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
Dave Kreskowiak wrote:
So he wants to use this gem?
Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away... ...the impossible takes slightly longer.
Typically, this is something that would be used by someone storing passwords in plain text.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
He'd probably reject that because he read the headline of an article on LinkedOut that said that parameters are evil and should be avoided at all costs! :laugh:
string query = "SELECT * FROM Users WHERE UserName = '" + TextBox11.Text + "' AND Password = '" + TextBox42.Text + "'";
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
If it ain't broke, fix it 'til it is.
-
Dave Kreskowiak wrote:
So he wants to use this gem? SQL SELECT * FROM Users WHERE UserName=@username AND Password=@password
That's the most disturbing thing I have yet to encounter today. **shudders**
I think var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}' Is perhaps more shudder inducing. Edit: aha, I see Richard beat me to that particular bit of nastiness.
-
If it ain't broke, fix it 'til it is.
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
You are definitely right, your IT director has no idea what he is talking about. I would be interested though in how secure (or what you are securing), this could reflect the level of security required. Your best bet is to explain how vulnerable not having good security will potentially make your data. Point out (as others have mentioned) how expensive it will be to implement your own security framework. Also, be aware that when this goes t**ts up, the person they're going to point the finger at is you, NOT the IT Director as you are the implementor, so be aware. It is work noting that correct implementation of security in existing frameworks is NOT theory and someone with the title of IT Director should know this. Now you could take a couple of directions: 1. Tell them if this is really what is required, then please accept my resignation. 2. Ask the IT Director how he proposes to implement such a security system. Explain how you would value his experience in creating/maintaining such systems in the past. If/when he says it's not his place to write code but yours, then explain that what he is suggesting is also theoretical and that you will be using a framework to implement the security safely as he has expressed (and clarified) it's you that writes the code, not him. That might help.
-
Thank you! That's what I thought. Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away... ...the impossible takes slightly longer.
Maybe it's time to look for another job?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Gather metrics to eliminate the "my opinion vs. your opinion" thing.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
I'll chime in -- your director is clueless. Based upon your comments, my guess is that he wants to be able to take credit for "leading the project" when applying for his next job after he FUBAR's this one. Provide him with 2 estimates: 1. # hours required to implement the ASP.NET Core framework. 2. # hours required to implement a home-grown solution. If estimate #2 is not at least 100 times the size of estimate #1, I'll be surprised. Never argue with idiots -- beat them about the head-and-shoulders with facts.
-
Thank you! That's what I thought. Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away... ...the impossible takes slightly longer.
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion! Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion! Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Nothing coherent. Just a wave of the hand and being told that I was "only giving theory," as a reason to disregard what I was saying.
The difficult we do right away... ...the impossible takes slightly longer.
Is he planning a red-team attack, to make sure it works?
