2

I started to work on a company whose software engineers tried to reinvent everything. They did not use(or know) industry standarts and for authentication, they use their custom solution. Their "solution" seems to me as very unsecure but I can not prove them.

Their single sign-on solution is like that. They have a web application(portal), everyone authenticate portal with username and password. When they want to access company's other web applications, they have to click Urls on portal that point to other web sites. Portal appends a query string to Urls.

Query string includes a secret data generated from passwords that lie on shared database . When other web apps' login page accept those query strings, it decrypt the secret data and compare it with passwords on database. If those values are equal than forwarded web application authenticate user. They uses their own authorization rules per application. They say that produced links are only usable once and it expires in 24 hour.

I think there are security vulnerabilities.

  1. They use reversable password that can be decrypted easily.
  2. Their produced query string can be seen on web history easily and can be used if first time user can not connect.
  3. I suspect they do not salt secret value, probably secret data can be used again.

Are there any other apparent security vulnerabilities that I do not know yet. I have to persuade them with exact threats

Ahmet Arslan
  • 849
  • 1
  • 5
  • 9

1 Answers1

1

I started to work on a company whose software engineers tried to reinvent everything

Does this mean all things they are not using frameworks, coding standards, policies, procedures? How do you know this? What is your position in this?

They did not use(or know) industry standards and for authentication

What do you mean by this?

  • protocol (LDAP, SAML, etc)?
  • framework (PHP:code igniter, NodeJS, etc)?
  • libraries? (JQuery, etc)
  • coding guidelines (CamelCase variables, etc)?
  • philosophy (KISS, etc)?

Are they even interested in security? Is the data in the application valuable or worth protecting?

I think there are security vulnerabilities

There may be.

But maturing development processes will get more bang for buck, acceleration in productivity, and as a byproduct catch vulnerabilities and bugs as everyone synchronises into 'doing the same thing' together.

Maturing processes can take time and a roadmap.

grimthaw
  • 21
  • 2
  • I am new to this company, they do not know LDAP, SAML, layered architecture , they even do not log etc. Funny but they have to restart DB server sometimes because they starve connections of SQL server. I try to chance everthing, it is a procces and I want help on security firstly. – Ahmet Arslan Dec 20 '18 at 09:41
  • Security itself is based on the listed things. By auditing what is being done be everyone, then standardising it you'd be making the first step. Simply pointing out that everyone is doing everything differently and making everyone do it the same, thereby reducing rework, saving money and reducing mistakes would save X$ and Y mistakes creates security and $$$. Getting some investment going. Little steps. – grimthaw Jan 08 '19 at 00:15