Roll your own...
-
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion! Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away... ...the impossible takes slightly longer.
-
Nothing coherent. Just a wave of the hand and being told that I was "only giving theory," as a reason to disregard what I was saying.
The difficult we do right away... ...the impossible takes slightly longer.
Is he planning a red-team attack, to make sure it works?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Writing your own access and encryption security algorithms from the ground up, requires a level of mathematics and security experience not usually found at most companies. However, extending existing security services/systems like OAuth2, Azure Active Directory (or whatever the current name is), Azure Front Door, etc. with additional steps to weed out unwanted access, is a good idea if you can identify specific areas of attack not already in those tools. Plus, from a business and liability view, using a third party access control system reduces overall cost, and shifts potential liability of a breach to that third party (e.g. Microsoft).
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
This appears to be part of a classic kick-back scam, which is quite common among technical managers. If you see a new contractor come in the door to assist you in this project or your manager recommends an expensive software tool to assist you in this work, then there it is...
Steve Naidamast Sr. Software Engineer Black Falcon Software, Inc. blackfalconsoftware@outlook.com
-
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Seems like a pretty bad idea to me. But I had a .Net application that was working well, and Microsoft updated some security aspect and broke it. Really not appreciated. Maybe do both? - Owen -
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
The only place I can think of where this would be a sensible approach, would be where it was more important that you got experience with the protocols, standards and how it all works, than it was to deliver a complete and functioning product without security issues. Paraphrasing from Bruce Schneier, Given sufficient effort, everyone is smart enough to develop a product that they cannot find fault with. Is there a more serious implementation a little further off where this might be a training opportunity?
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
[Authentication - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Authentication\_Cheat\_Sheet.html) If you do roll your own, this offers some high level considerations…
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
