Authentication and Authorization: Best Practices for Application Security

I wrote an article titled “Broken Access Controls—Protect The Fortress!” as we dove into authentication and authorization, and what happens when access controls fail. For a brief refresher: Authentication: Are you who you say you are? Access control: now that we know who you are and what you're attempting, do you have the access to do so? Specific best practices can be followed to accomplish proper access controls. In this article, we’ll be covering how to implement robust user authentication and authorization in applications.

First, we’ll talk about some super easy access controls. Multi-factor authentication (MFA) is a great way to protect an application. It adds an extra layer of security by requiring users to provide multiple verification factors, such as a password, biometrics, or a token. Having a firm password policy built into the application by encouraging users to create complex and unique passwords, AND keeping them updated regularly. That’s the key: forcing password updates. As developers, we should ensure that when designing the application, we properly store user credentials using secure password storage techniques, such as hashing and salting. Encryption and hashing are not the same thing, and hashing makes it very difficult to determine what the password actually is. If a database stores passwords as simple hashes, they can be cracked and stolen. Salt, pepper, and hash those passwords! Just don’t leave them unsalted.

Some best practices can be followed with application development. Principle of Least Privilege: we grant users access only to perform their jobs, at the minimum level they need, based on their role in the organization (RBAC). In conjunction with that, conducting regular access control reviews is a good practice. It is recommended to perform periodic checks to identify inactive users and outdated permissions. Another good plan is to have solid logging and regular monitoring of it. It really doesn’t help if you don’t have someone monitoring the logs!

Let’s discuss ciphers and authentication. Ciphers are part of the authentication process, protecting usernames and passwords whether in transit or at rest, and preventing hackers from gaining access. They also ensure confidentiality and integrity during the authentication process.

An application uses cryptographic algorithms to provide strong cipher strength to prevent brute-force and other attacks that aim to compromise the authentication process. The longer the key length, the harder it is to crack. It’s essential to use high cipher strength. Why? Because it protects confidential data. For the company, that means account numbers, bank account information, and the like for both data at rest and in transit. It also protects our user credentials. High-strength ciphers ensure data integrity by protecting it during transmission.

Encryption and authentication also go hand in hand and are widely known to protect against even the most brutal attempts to compromise confidentiality and integrity. AES, or the Advanced Encryption Standard (AES), encrypts and protects sensitive data at rest and in transit. It relies on a shared secret key for encryption and decryption. The key is typically 256 bits long, with so many combinations that a hacker is unlikely to crack it. AES protects databases, files, credentials, messaging/communication, devices, and application data. As with ciphers, it’s crucial to use algorithms to safeguard customer information such as account numbers and transaction details.

These are just a handful of best practices you can use to improve authentication and authorization for the application you support.

Is your application secure?

https://medium.com/@jencracchiola/authentication-and-authorization-best-practices-for-application-security-68bbccb5054b