When Security Guys Ask You About Authentication – This Is What They Actually Mean
When you scheduled for security review meeting be prepared for the above question. Security guys are concerned of Identity Theft/Spoofing Threat.
My suggestion is to go there prepared with the following question list thus saving lots of [time, money, fights, blames, threats, vulnerabilities, <<fill in your own>>]
How do your end users identify yourself?
- User and Password pairs
- Digital Certificates?
- Other?
How credentials sent over the wire (if any)?
- Clear text?
- Hashed?
- Over protected wire (SSL, IPSEC, etc)?
- Binary encoded?
How does your system authenticate your end users?
IT based
- Windows Integrated
- Digest
- Basic
- PKI
- Custom mechanisms (not the best choice)
How does your application manage credentials that it uses to authenticate itself with downstream servers?
- Hard coded (bad choice…)
- Clear text in config files (not the best one either)
- Encrypted in config files/registry (much better)
- Using process Identity (the best)
- Other?
How do your downstream servers (Web Services, Database, etc) authenticate incoming requests?
IT based
- Windows Integrated
- Digest
- Basic
- PKI
- Custom mechanisms (not the best choice)
- DB specific
How do you manage identities and its credentials?
- IT infrastructure based
- Custom store (not the best one..)
How do you flow identities over physical tiers?
- Infrastructure based (delegation for example, may hurt performance)
- 3rd party Solution
- WS-Security (SAML and co.)
- Custom (not the best choice)
How do you enforce credentials management policies?
- For passwords renewal
- For password complexity
How do you log suspicious authentication process activities?
More useful checklists here
Check out my previous post it has some simple yet solid proof of concept and suggest best practices
Happy New Year!!