handling security in applications

  • Thread starter Thread starter Vivek Sharma
  • Start date Start date
V

Vivek Sharma

Hi There,

I have always wondered what sort of security is the best for a windows
application. I am designing an application and I wish to understand whats
best to implement.

Is it role based security? Shall I handle security in SQL tables. What is
the best way of providing access to various parts of the applciation to the
users. How shall I make the forms customisable for users?

Please guide.

Thanks

Vivek
 
You'd have to provide way more information to answer that question reliably.
It depends on your threat exposure, what you're trying to protect, and how
much money it is worth to you.

I always start a project with the expectation of using Active Directory for
security and only vary from that rule when circumstances beyond my control
force the issue. You will never be able to write anything as secure as
Active Directory. If you need access outside of your own network, there are
options from RSA and Cisco for secure VPN access.

If you write your own security and store passwords in a database, how will
you secure it? If you secure the passwords with a secure hash, how will you
transmit the password over the network? If you transmit the hash, it is
still vulnerable to discovery. To write your own secure authentication
system, you would have to start by reading:

http://csrc.nist.gov/publications/fips/fips196/fips196.pdf

In the end, you'll find out that writing your own security implementation is
not secure at all, even using the PKI and hashing classes built into the
..Net framework. My suggestion is to leave it to the experts and use Active
Directory or X.509 certificates if possible.

HTH

Dale Preston
MCAD, MCDBA, MCSE
 
Back
Top