You don’t want just anyone accessing your software and you can’t get into just anyone’s software either.
Even when you do you don’t want to give users everything. Enter software security.
Authentication
Authentication confirms that you are who you say you are and are not just using someone else’s account.
A helpful way to understand is to list what it would take to get forbidden access to a software program.
- Username. Probably pretty easy, these are a dime a dozen.
- Password. Ok, steps up here for sure, but the user might have a easy to guess password.
- If not you might be able to use a popular password generator.
- If not this then maybe you could buy one from some shady place.
- Ok, let’s assume you get past this hurdle, you could run right into the next wall…
- Two-factor authentication. This is a 2nd form of proving you are who you are usually through sending your phone an 6-8 digit message via text or using an ever-changing set of digits on an authentication app. If you can’t add this to the password you are still locked out.
- This one starts to get stupid. Now you’ve got to find a way to get the exact users phone. Also you need to make sure you can get into it so you’ll have your own security code on the phone that you’ll need to get through.
- But for argument sake let’s say you get through this one too, next you likely run into…
- VPN. We talked about this one here. But now you’ve got another username, password, & two-factor authentication to get through, plus you are going to need to make sure the box has the token software installed already (this is software the network administrator installs to make sure the computer a legit part of the network). Also, opening that computer will likely have another password for the initial log in + your windows/mac username & password.
- Ok, wildly assume you get through all these, now are you really set? Nope.
Authorization
Authorization determines what users can and can’t do once in your software.
Now you are in, but you still need to have access to certain functions and privileges within the software program. Does your username have access to sensitive data? Access to make certain additions to data? The ability to grant access to other users?
All of that needs to be set up or configured for a specific username. Often those are set up through Active Directory (or Open Directory if in the Mac universe). Think of this like a big Excel spreadsheet with an entry for each username & yes/no boxes in all the rows that mark what privileges are granted. Sensitive data, check, add new users, no check, etc.
Finally, if you get past all of those locks you would finally find yourself all the way in the software. Even disregarding the moral imperative, it is clear that at a certain point it is easier to just build it or buy it.
So what?
As the criticality of the job done by your software or the sensitivity of the data that your software deals with goes up so also will the need to ensure you are using these steps to protect your work. All of these steps exist because they are fixing something that was once a problem.
You should plan accordingly based on the nature of your project.