This post from a security manager using a pseudonym recounts the story of an application developer asking for help on a project. “I only learned about this software development project when one of the programmers approached me to ask about the best way to store usernames and passwords in the application’s database. Yes, that’s right–they built the authentication right inside the application, instead of calling out to an external authentication source,” he writes. “If you’re like me, you’re thinking this is crazy. Why build an authentication capability into an application when we already have Active Directory?”
The next question? “The developers were planning to save the passwords directly into the application’s database, and they wanted to know if those passwords should be stored in encrypted form.” The manager, of course, answered yes and advised them to use AES instead of building their own encryption as they had been considering.”
The post concludes, “My company’s business leadership has decided that we can provide better service to our customers by giving them a new Internet application. That’s a noble idea, but I think it’s going to be a bit more complicated than they expected, especially if we want to do it right, by safeguarding our application and our customers with good security practices.”