> On 1/14/09, Doug Smidt <[email protected]> wrote: > > The small company I work for has been discussing different options to > beef > > up our authentication. Currently, we're just an old fashioned enter > > username/password, check user table, login if credentials match > system.
If you're large enough (or rich enough) to afford it (and since you admit that you're not a security expert) you could do worse that a vetted off-the-shelf solution. We use SiteMinder from CA... I'm not sure if I'd actually recommend it but I'll definitely say that it provides better security than any home-grown solution. CWE/SANS just recently came out with their "Top 25 Programming Errors": http://cwe.mitre.org/top25/ This list is weighed heavily to web applications and security: you could do a lot worse than looking at this list and attempting to ensure that all of these, at least, are covered. One main one I would add to that list is the inability to prevent Login Floods (brute force dictionary or rainbow attacks are almost ludicrously easy if the site allows for unlimited, unthrottled logins per ID). One blog I've found invaluable is Coding Horror (http://www.codinghorror.com/blog/) - in fact his most recent entry covers the list above. Scan through the entries: he OFTEN covers security topics (in addition to human factors, management and general programming). The entries a generally more philosophical than technical: more than anything else they point your brain in the right direction. Also you should feel free to post specific implementation details here and discuss. Any implementation details you feel like you can't discuss should be carefully considered: that's almost always a sign of "security through obfuscation" and a gaping hole in your system. ;^) Lastly (just as an example not an epitome) I've posted the core CFC code for my security system (written for CF 6+) here (look to the bottom, security - download links are at the top): http://www.depressedpress.com/Content/Development/ColdFusion/DPLibraries/Ind ex.cfm I'm afraid it's not documented very well (even after 5 years) but it still works well and, I think, is based upon sound security and performance practices. It's also designed to be easily layered into existing sites and easily enhanced/extended. It's all open source under the (very liberal) BSD license so have at it. In any case it might give you some ideas. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317989 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
