Hacker News new | ask | show | jobs
by int0x2e 1184 days ago
I have worked on a project where we integrated with AAD for auth. One of our developers did things that looked fine - used the common Asp.NET middleware for AAd, configured it, used the latest version, set authorization policies on sensitive routes, etc. Then I did my own code review, and saw that they had passed "verify: false" in the options. When asked why, they said "I just copied this from StackOverflow and it worked...". This guy is not dumb BTW. It's just that security is easy to get wrong, especially if you don't know where the dragons are. We later had a full suite of positive and negative automatic tests, and had an independent pen test verify that things were done properly - but most small teams will never get those resources...
3 comments
iforgotpassword 1184 days ago
We're celebrating that we've moved away from insecure languages with manual memory management to secure high level languages, sandboxes and whatnot, and the first thing we do is "yay coding got easier let's increase complexity by 1000x". At least sometimes I really feel like this, but probably just getting old.
link
turtles3 1184 days ago
I don't think it's as simple as that - we have higher level languages that protect us from trivial security issues like buffer overruns, but that's a net good. There is no advantage we would gain in security from rolling that back.

Instead, it gives us exposure to a new set of higher level security problems, that over time we will need to develop higher level primitives to navigate. We would still have these problems with lower level languages, we'd just be too overwhelmed with smaller issues to properly address them

link
layer8 1184 days ago
> "I just copied this from StackOverflow and it worked...". This guy is not dumb BTW.

These seem quite contradictory statements. Copying something from StackOverflow and using it in production code without making sure you fully understand what it does? And something like "verify: false" should be an instant red flag that you need to triple-check to make sure that’s really the correct thing to do for your use case.

link
themoonisachees 1184 days ago
Forget small teams. As a business owner buying solutions that integrate with AAD, how could you possibly be confident that the team you're buying from has done their due dilligence wrt security?
link