October 29, 2013
We regularly get the question: should we build our web authentication and single sign-on solution?
Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says:
"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities."
Implementing your own session and key management, validation, update, periodic rollover, etc. mechanisms in a scalable and fault tolerant way is extremely difficult. We regularly get inquiries from clients who want to replace their own in-house built web single sign-on framework — mostly because they have been hacked or it's too expensive to operate and update.
This is why we see open source and commercial Web Access Management packages and solutions critically important to protect your web assets. Since they are mostly mature technologies, they protect against not just authentication and session management problems but often against cross site scripting and other older threats as well. If you use a newer product or a pure federation product, make sure that the vendor or supplier can help you answer your questions based on the the OWASP list.
Check out https://www.owasp.org/index.php/Top_10_2013-Top_10 for more details on the OWASP Top 10 for 2013.