Or just our approach to it?
Why does this subject, so fundamental, seem so hard?
- The internet, including DEV, is full of articles on security, JWT, cookies-good, cookies-bad etc.
- Some services (e.g. Azure Active Directory) seem to handle it all for you - but do they really? And when can you actually use this approach?
- Pretty much any article on the subject will come with a stream of comment and debate attached - doubt is sown...
What's a professional, let alone a beginner, to do?
Top comments (11)
I think it's because people have their own biased opinion on different ways to do it. In security, like everything else, there is often more than one way to do something...and be equally secure.
However, people with opposing views tend to be pretty hostile and reply with a tone like: "if you do that, then your app sucks and has huge security holes"...with little or no justification...they just don't like the OP point of view.
But in addition, I think many security articles put the reader down. You know, those articles with titles like "You are doing security wrong" , "Security is hard, don't do it, use Auth0", or "If you implement security yourself, your company and products are bad", etc... And though I do agree it's sometimes easier and better to delegate some security aspects frameworks (ie HTTP escaping), judging the readers professional skills is a poor way of getting a message across and it can make the reader feel like crap.
People also tend to combine problems with protocol(and design) and implementation in the same bucket. Some can be designed correctly, but their implementations can have bugs.
I do agree that for beginners it can be overwhelming. For me, it just look lots reading and understanding of what a application's real security requirements are (vs fear mongering from the internet). I went though this whole mess when I was working on some OpenID connect tasks a while back...
Actually, don't mean to self promote, but my friends and I just built a series of videos regarding our experience using Auth0 and other authentication services you might find helpful. You can see the first video here if you want.
From my experience, the comment section of security articles can be pretty helpful or expose holes in the post. Especially if the OP has some underlying objective of the post (ie they work for Auth0).
Web security is such a large topic. It covers things like front-end coding (not just the login page, but also XSS concerns on the rest of the site), to how to store credentials in the DB, to the authentication process used (is username password good enough? do I need 2FA?), and finally the authentication mechanism (JWT, cookies, etc)
As developers we should remember that security works at all levels. It's not something that one dedicates a sprint or two to fix. It's something that if we want to be secure, needs a lot of thought, knowledge and experience. And we also need to remember that things security needs constant effort, maintaining up to date code, dependencies and practices.
Security is about circles of trust.
Larger circles are usually more complex, hence why web security have so many things to consider.
If you have a static site, you trust no one, and need to trust no one, your circle is small.
If you have forms on that site you need https, now you need to trust the network the data is passed through, so you need encryption, https, your circle grows.
If those forms share their data with people you do not know, then you need to bring them into your circle, so you might need a login, and some cookies to manage access.
And so on.
I think the issue might be due to web technologies moving so fast, yet security doesn't. The expectation is that there must be new technologies that you have to learn, because "that's just how the industry works". The reality is security doesn't move nearly as fast, take GCM for example, because it needs a long time to be validated as well as the implementations to be audited.
It doesn't, you still need to handle your session securely.
It's not really broken, it just evolves from day to day and the web lacks a complete and updated tutorial on what to do and how browsers work.
hmm, what do you mean by 'how browsers work' like the SSL handshake?
But why isn't your ability to write something as true as this seen as crazy as saying "just write html how you like, there isn't a specification, you'll have to hope the browser understands it"?
A new tool from Microsoft might help? I dunno...
It's the same with every element of software development, people have opinions on which is better. Use what is best for your use case
But surely security is a bit more fundamental that "what's the best way to build a component?".
There is no perfect answer for security as software comes in so many different forms. Personally I like JWT for API authentication as it is easy to use with both web and mobile applications as generally you wouldn't want to be using cookies for your mobile application.