I still remember sitting down with my brand new copy of Writing Secure Code by Michael
Howard and David LeBlanc. Having moved beyond writing relatively simple intranet web
reports, (before the term "Bl" came to embody what at the time we thought was an incredibly
innovative way to display call center metrics for managing credit card operations) I found
myself in a development lead position responsible for building a web portal for managing the
collections process for JP Morgan Chase's auto and home business. The portal interfaced with
a number of internal assets, such as SQL Server, Oracle, and IBM Mainframes via Terminal
3270 emulation, as well as external partners, such as Experian and Equifax.
In addition to the learning curve of moving from Classic Active Server pages to production-
worthy .NET Framework 1.1 and ASP.NET Web Services, we were just beginning to dramatically
disrupt the enterprise as a way to minimize the friction between systems while increasing the
reusability of these integration investments. As a fledgling new lead, building the portal to stop
world hunger and to cure cancer (as all the intranet portals promised to do in those days). I
was keenly aware that the solution had to be secure, because after all. "All Input Is Evil", and
working in the financial services industry, no security breach or personal information leak
goes unpunished, no matter how trivial.
For weeks I skimmed through the 600 page volume, incrementally building confidence
that I was doing my due diligence in implementing a trusted subsystem, identifying and
authenticating my users, applying the least privilege, and preventing the SQL injection attacks.
Things were significantly simpler in 2003. All of my users were in Active Directory, and as long
as I didn't need them to do multiple hops, NTLM was just fine, thank you very much. I put a
lot of thought into the roles and proudly remember showing my manager how the new users
would automatically have access to the portal as soon as their account was created (provided
IT assigned them to the right group! :).
Well, it turns out this "Web Services" thing was real, and what they did for the enterprise a
decade ago pales in comparison to how service orientation has transformed the way users
expect to be able to interact with software today. The proliferation of modern web applications
and mobility demand a completely new perspective when designing modern applications.
Whether you are building Web, desktop, or mobile solutions that reside on-premise, on the
cloud, or are a hybrid thereof, identity and access control have never been more important.