Do you want to save 80% of your bandwidth to your search provider? Do you want to deliver content to your users faster? With this one tr...Development Elasticsearch Debugging
If you’re not familiar, or just haven’t used Sass maps, here’s your chance to dive in. Our latest static site was built on Jekyll using ...sass
C# being an Object Oriented Programming (OOP) language, we have access to inheritance. Like any feature of a programming language, you sh...csharp bugs
We love the combination of SQL and Elasticsearch and believe it is a winning combination for anyone building a modern application. Elasti...Elasticsearch NEST C#
I’ve been watching [DotNetConf][dotnetconf] videos over the weekend, and was most curious about [Mads Torgersen’s][mads] [“What’s Coming ...c-sharp C# .NET
Hugo is an amazing static site generator, but getting lost when templating is easier than we’d like. We’ve found a way to evaluate variab...Hugo JAMStack Static
Regardless of your opinion on Object Relational Mappers (ORM), I think they are a great tool for prototyping ideas. Over time, they can l....net core sql
Dealing with JSON data in SQL Database introduces several challenges. This post addresses querying json data stored in SQL Database that...SQL Azure Database development
We are in the middle of writing a template engine to define dynamic forms. The user interface can only post to a known model on the serve...C# development
We are living on the bleeding edge that is Hugo’s release cycle. To keep our macOS development environments up to date we wrote this shel...development
Hugo recently released an amazing asset pipeline, which means you need less external dependencies to build a sweet static site. To take a...dev build
With the news that Microsoft is acquiring GitHub, I thought I would ask the team what their thoughts are on the topic. We utilize the .NE...
Security is an essential part of any application ecosystem, but it can also be a nebulous concept for an organization to grasp. During our system rewrite, the team has had discussions on the topic of securing a system.
What we’ve found is there are five levels of security an application might have in regards to user access, and each access level is a prerequisite to continuing to the next.
We must first identify the individual. Identity can be a simple login process or a stringent authentication process with questions, two-factor authentication, or more.
At level 2, we need to recognize what actions a user can take within the system. Can they edit a resource, or can they just read it? Permissions can make the user experience narrow or broad.
This level identifies resources that the current user has access to directly. While the user may be able to modify records, we want to limit which resources they can change. It is also essential to constrain the view of the user to only relevant resources within their responsibility.
Resource permission, a level at which point we have identified the user, they can perform actions, they have responsibility on a particular resource, but a system may need to constrain the kind of responsibility.
Can the user read a resource? Can they affect this particular resource? All crucial questions answered at this level.
Note: Some systems may not need this level of granularity.
Business rules tend to be the most complex level of securing a system. This layer is dependent on the current working domain. Validating a user’s actions as correct is essential. A business rule can be as simple as verifying a single resource, or as complex as validating the state of the system.
Security is serious business and a complex one at that. Building systems are a balancing act between a secure one and a manageable one. An unmanageable security system is a lousy security system, while one that is naive may expose sensitive data.
What are your thoughts? Did we miss a critical level or are we excessive? I’d love to hear your thoughts in the comments.