|
Nothing coherent. Just a wave of the hand and being told that I was "only giving theory," as a reason to disregard what I was saying.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Is he planning a red-team attack, to make sure it works?
|
|
|
|
|
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Mike Hankey wrote:
If it ain't broke don't fix it!
I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done!
CQ de W5ALT
Walt Fair, Jr.PhD P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
I hear ya!
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
If it ain't broke, fix it 'til it is.
|
|
|
|
|
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero
PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com
Latest Article: EventAggregator
|
|
|
|
|
Forget security holes, what about security compliance and/or 3rd party audits? Depending on your client requirements, the effort needed to confirm compliance may make roll-your-own security a non-starter. For example, you may need to provide an auditing body a copy of your code, and re-submit for every code change that's made, at whatever that cost is to you (or your client) may be prohibitive. Particularly if the auditing body is slow, and you need to get changes out quickly.
For security issues, I'd always want to go with a tried-and-true solution, rather than trying to roll my own. I'm not going to try to write my own SSL or AES implementation when there's off the shelf packages that do that. I can have reasonable expectations that 1) they're relative bug free, 2) any bugs or exploits will be addressed in a timely manner and 3) they have an established base of users that give feedback on 1 and 2.
Additionally, with roll-your-own, you'll have to dedicate some resources to maintain that portion of your product, which may include maintaining compliance with changing standards. Is your development department deep enough to handle that?
"A little song, a little dance, a little seltzer down your pants"
Chuckles the clown
|
|
|
|
|
This is a great explanation of other reasons to go with the framework!
Our development team consists of me, one other guy and a summer intern. I think we're in trouble.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
May the force be with you, buddy. 
Jeremy Falcon
|
|
|
|
|
Roll your own by layering it atop the other?
|
|
|
|
|
No, not atop the framework. Completely disregarding the framework.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Yes, but I mean, layer it atop and say you rolled your own.
|
|
|
|
|
I don't follow your clarification.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
|
|
|
|
|
Like the vegan donut place that was selling donuts from another store.
|
|
|
|
|
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero.
Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
|
|
|
|
|
Thank you! That's what I thought.
Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
When it came to the website that drives my team processes, we just went with Windows Auth. No login page and no user management on our part, and it's about as secure as you can get with minimal effort. HR takes care of the AD accounts and users can request security group membership on their own, and we approve/deny any requests to the groups the site uses.
All group memberships are looked at for what you can see/do. If you're not in any groups, you get read-only access to a limited portion of the site.
About the only thing we do as far as users is the site allows you to create a user profile where you get to set a bunch of defaults, like landing pages, default view tabs, email notification subscriptions, color theme, font size, and a bunch of other stuff.
|
|
|
|
|
Maybe it's time to look for another job?
|
|
|
|
|
One way to manage up is to email him and his boss with your concerns, laid out with lots of details, risk analysis, cost/benefits, pros & cons of each approach. Then finish with your recommendation. It amounts to pretending that you had your boss's job and had to convince his boss which approach would be best for the company. If your boss's boss can see you doing a better job than your boss, maybe they'll fire him and give you a promotion!
Of course, how effective this is (and whether or not it should even be done) depends on company culture, how much of an a** your bosses are, etc.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Hi Matt, I think this is a terrific idea, except that I don't know how breaking the chain of command might adversely affect my employment status.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Well, just send it to your boss, CC your dev team. Then keep a back-up. At least you have it for CYA purposes when things go south.
Bond
Keep all things as simple as possible, but no simpler. -said someone, somewhere
|
|
|
|
|
Dave Kreskowiak wrote: So he wants to use this gem?
SQL
SELECT * FROM Users WHERE UserName=@username AND Password=@password
That's the most disturbing thing I have yet to encounter today. **shudders**
|
|
|
|
|
I think
var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}'
Is perhaps more shudder inducing.
Edit: aha, I see Richard beat me to that particular bit of nastiness.
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
