Security

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

For the purposes of Identity Management Security applies to authorizing access only to the legitimately identified user and protection of User Private Information.

Context

  • Security in computer science covers a broad range of topics, like Availability that are not addressed in this wiki.
  • While some security experts might feel that, in theory, Privacy is a part of security. In practice security and privacy are often at odds and need to be addressed as separate issues by separate sets of proponents.

Problem

  • Security is not a feature of the internet, it is an add-on. Even current development activity, like OAuth 2.0 and OpenID Connect are successful, not because they are secure, but because developers like the freedom they offer. For details on that see the page Bearer Tokens Considered Harmful.
  • Study Shows Programmers Will Take the Easy Way Out and Not Implement Proper Password Security. (2019-03-09) "Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the necessary skills to develop a secure system from scratch."
  • The above quote is far too optimistic. The number of programmers with the "necessary skills to develop a secure system from scratch" is exceedingly small. The average programmer needs to start with a solution architecture that fully encompasses the necessary security.

Solutions

  • It isn't that security is all that hard; the problem is that programmers are paid to deliver solutions on time. Since there is never enough time, there will never be any impetus for a programmer to deliver a secure solution. They deliver solutions that let them get home in time for dinner.
  • The only security solution that works in a capitalist society is to convince the CEO that they will suffer if the product is not secure. See the wiki page on Conduct Risk.

References