Roll your own...
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
He'd probably reject that because he read the headline of an article on LinkedOut that said that parameters are evil and should be avoided at all costs! :laugh:
string query = "SELECT * FROM Users WHERE UserName = '" + TextBox11.Text + "' AND Password = '" + TextBox42.Text + "'";
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
If it ain't broke, fix it 'til it is.
-
Dave Kreskowiak wrote:
So he wants to use this gem? SQL SELECT * FROM Users WHERE UserName=@username AND Password=@password
That's the most disturbing thing I have yet to encounter today. **shudders**
I think var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}' Is perhaps more shudder inducing. Edit: aha, I see Richard beat me to that particular bit of nastiness.
-
If it ain't broke, fix it 'til it is.
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
You are definitely right, your IT director has no idea what he is talking about. I would be interested though in how secure (or what you are securing), this could reflect the level of security required. Your best bet is to explain how vulnerable not having good security will potentially make your data. Point out (as others have mentioned) how expensive it will be to implement your own security framework. Also, be aware that when this goes t**ts up, the person they're going to point the finger at is you, NOT the IT Director as you are the implementor, so be aware. It is work noting that correct implementation of security in existing frameworks is NOT theory and someone with the title of IT Director should know this. Now you could take a couple of directions: 1. Tell them if this is really what is required, then please accept my resignation. 2. Ask the IT Director how he proposes to implement such a security system. Explain how you would value his experience in creating/maintaining such systems in the past. If/when he says it's not his place to write code but yours, then explain that what he is suggesting is also theoretical and that you will be using a framework to implement the security safely as he has expressed (and clarified) it's you that writes the code, not him. That might help.
-
Thank you! That's what I thought. Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away... ...the impossible takes slightly longer.
Maybe it's time to look for another job?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Gather metrics to eliminate the "my opinion vs. your opinion" thing.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
I'll chime in -- your director is clueless. Based upon your comments, my guess is that he wants to be able to take credit for "leading the project" when applying for his next job after he FUBAR's this one. Provide him with 2 estimates: 1. # hours required to implement the ASP.NET Core framework. 2. # hours required to implement a home-grown solution. If estimate #2 is not at least 100 times the size of estimate #1, I'll be surprised. Never argue with idiots -- beat them about the head-and-shoulders with facts.
-
Thank you! That's what I thought. Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away... ...the impossible takes slightly longer.
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion! Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion! Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Nothing coherent. Just a wave of the hand and being told that I was "only giving theory," as a reason to disregard what I was saying.
The difficult we do right away... ...the impossible takes slightly longer.
Is he planning a red-team attack, to make sure it works?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Writing your own access and encryption security algorithms from the ground up, requires a level of mathematics and security experience not usually found at most companies. However, extending existing security services/systems like OAuth2, Azure Active Directory (or whatever the current name is), Azure Front Door, etc. with additional steps to weed out unwanted access, is a good idea if you can identify specific areas of attack not already in those tools. Plus, from a business and liability view, using a third party access control system reduces overall cost, and shifts potential liability of a breach to that third party (e.g. Microsoft).
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
This appears to be part of a classic kick-back scam, which is quite common among technical managers. If you see a new contractor come in the door to assist you in this project or your manager recommends an expensive software tool to assist you in this work, then there it is...
Steve Naidamast Sr. Software Engineer Black Falcon Software, Inc. blackfalconsoftware@outlook.com
-
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Seems like a pretty bad idea to me. But I had a .Net application that was working well, and Microsoft updated some security aspect and broke it. Really not appreciated. Maybe do both? - Owen -
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
The only place I can think of where this would be a sensible approach, would be where it was more important that you got experience with the protocols, standards and how it all works, than it was to deliver a complete and functioning product without security issues. Paraphrasing from Bruce Schneier, Given sufficient effort, everyone is smart enough to develop a product that they cannot find fault with. Is there a more serious implementation a little further off where this might be a training opportunity?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
[Authentication - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Authentication\_Cheat\_Sheet.html) If you do roll your own, this offers some high level considerations…
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
