Category Archives: Security

Passwords, Password Storage And Password Management

There’s no shortage of news about companies that are being hacked and having usernames and passwords stolen these days. The latest of which is Tuts+ Premium. Now I’m not one for blaming companies that get hacked. That happens. We do … Continue reading 

Also posted in Tools and Vendors | 15 Comments

Modularity And Security In Composite JavaScript Apps

In one of my current apps for a client, I have an activity based security system that determines what the user is allowed to do. The trick to this system is that all of the authorization checks happen on the … Continue reading 

Also posted in Backbone, Composite Apps, Javascript, Marionette | 14 Comments

Don’t Do Role-Based Authorization Checks; Do Activity-Based Checks

I’ve built a few dozen security mechanisms in my career. Unfortunately, I kept getting it wrong, hence the need to keep building them. Over the years, though, I learned a number of different ways that a security system can be … Continue reading 

Also posted in .NET, Analysis and Design, AntiPatterns, C#, Model-View-Controller, Rails, Ruby | 51 Comments

Don’t Build A Security System Until There Is Something To Secure

I know a lot of people give credit to the idea of “time to login“. Personally, I don’t think that’s the right way to look at starting an app. (Note: As Joshua Flanagan pointed out in the comments below, I … Continue reading 

Also posted in AntiPatterns, Bootstrap, Goals, Risk Management | 9 Comments

Providing Unauthenticated API Access To An Authenticated/Authorized Controller In Rails 3, With Devise And CanCan

My current Ruby on Rails app defaults to every page and controller action in the system requiring authentication. If you’re not logged in, you don’t get to do anything other than see the login page. Once you are logged in, … Continue reading 

Also posted in Model-View-Controller, Rails, Ruby | 1 Comment

Don’t Make Me Choose To Follow The Standards

Most systems that involve humans making decisions have a set of standards: guidelines, rules and/or policies that help people make good decisions. These standards are usually in place for good reason – to prevent bad things from happening or to … Continue reading 

Also posted in Analysis and Design, Management, Pragmatism, Principles and Patterns, Standardized Work, User Experience | 10 Comments

How To? Highly Complex Query Generating Based On Security Needs

I have the following object model:   An Office belongs to one Office Group. An Office also belongs to one Office Region. There is no relationship between Office Group and Office Region. They are two separate groupings for various reasons. … Continue reading 

Also posted in .NET, C#, Data Access, Unit Testing | 10 Comments