Allen Stewart's Blog

Service Oriented Infrastructure- Virtualization- Virtual Machine Management DSI- SDM-

Application Security

It never ceases to amaze that with all of the Authenication and Authorization options available that devolopers continue to roll thier own application security.  I would have thought that the days of passing encrypted stirngs back to a database would be over to be replaced with kerberos and constrained delegation. The ability to maintain a users identity from the presentation layer to the database row/table sounds like to me a great security forsenics tool for security folks.  My application architect friends tell me thier are to many trade offs doing this like the loss of connection pooling at the database layer (which slows performance). In this sceanrio all connections to the database are accessed under a application user account. While thier has to be a fine line between security and performance and I sometimes wonder if the majority of the roll your own application security ever gets a deep security review of the application code. Anyone have any thoughts on this it would be interesting to here both sides security folks and application architects.

 

Allen

Published Tuesday, February 22, 2005 7:22 AM by allenstew
Filed under:

Comments

 

Spence said:

Whilst it is true that the impersonation/delegation model has connection pooling and licensing drawbacks, this by no means implies a trusted subsytem model using roll your own authN/Z is a good bet!

Trusted subsystem can (easily) be achieved using Windows Authentication, and a well designed application architecture will take security auditing requirements into account.

IMO, distributed application architectures should be geared towards the so called 'business layer' making authorisation decisions not the backend database.

Bottom line: there is no valid excuse for rolling your own AuthN/Z, (or for that matter passing db connection creds over the wire in plain text or ssl/ipsec!) Any professional appsec review of roll your own AuthN/Z mechanisms should highlight these risks.
February 22, 2005 8:44 AM
 

Allen Stewart said:

Spence, thanks for the post. I agree a with you 100% but for some reason (lack of application security education) the same old security approaches keep getting used.
On the using Windows authentication approach I battle with security engineering folks all of the time. They want the trusted subsystem benefits but always want to leverage another authentication approach that is non Windows based. It comes down to them just not feeling comfortable using Windows Authentication but they have no problem deploying a web sso product with shaky security.

I will not rant but I been in too many of those techical battles with security engineering folks.

Allen
February 22, 2005 9:06 AM
 

Dennis Forbes said:

I worked at one firm, this was in the pre-AD days though we achieved the same effect with Basic authentication, where our systems were geared for very vertical markets, where high value systems would serve just a couple of users.

Nonetheless the AA of the day insisted that we don't delegate the calling user past the presentation because of "scalability" issues (making a vague reference to the connection pooling issue). This for a system that didn't have a hope in hell of having more than a couple of users at a time at the best of times.

There is little rational in most supposedly technical decisions - everyone is pretending they are building amazon.com regardless of how ridiculously wrong that target is for their customers.
February 22, 2005 9:16 AM
 

Allen Stewart said:

Dennis, another great point. I seemed to have sparked a soft point for some security folks.
I think the new web services world this adds some interesting stuff to the mix: federation, web services security (WS-Security), extending applications outside of the firewall and the deployment of pki for application usage.

What a time to be a security person.

Allen
February 22, 2005 9:26 AM
 

Mike Shaffer said:

I thought your statement "They want the trusted subsystem benefits but always want to leverage another authentication approach that is non Windows based." was dead on. I constantly struggle with this. We're in a mixed environment, but the primary NOS is Windows. Yet we step all over ourselves to build these crazy home grown security systems and now we're doing web service based security authentication...seems like a step backwards for a multi-billion dollar financial institution.
February 22, 2005 9:55 AM
 

Allen Stewart said:

Mike, I agree we are just all over the place with Authn/Authz approaches in large firms.

I have had some success in getting customers to use Active Directory for Authn/Authz for Unix/Linux environments moving them off of NIS/NIS + to Kerberos and Active Directory.

Even then most shops do not think that Active Directory does standard kerberos and can interop well.

So in addition to the AD DC'S they deployed they were off to deploy OpenLdap for kerberos support for Unix/Linux servers when they already had a kerberos environment in place.

Question who is driving the choice of security systems in most companies Application Architects, Infrastructure Architects or Security Engineering?

Allen
February 22, 2005 10:10 AM
 

Allen Stewart said:

I would recommmend that anyone interesting in Web Services Security, federation read the following book:

Web Services Architecture and its specifications ISBN= 0-7356-2162-4

Allen
February 26, 2005 10:08 AM
Anonymous comments are disabled

This Blog

Syndication

News

Service Oriented Infrastructure

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
 Microsoft
Page view tracker