A few weeks ago, OWASP, a leading group that monitors web application vulnerabilities and provides open source tools to help secure application infrastructure, updated its list of leading web application vulnerabilities. This year, “Broken Authentication and Session Management” moved up a rank from number three to number two.
Identity capabilities (Authentication, Session Management, User Activity Auditing, etc.) are architecturally cross-cutting concerns – these same capabilities are required by almost every application that you build for employees and customers to use. The fact that the need for identity management is pervasive across all applications implies that a common implementation must be made available to all application developers to leverage. It is all too common for application developers to try building identity capabilities directly into the applications they create. Unfortunately those developers often aren’t trained in the finer points of application and identity security – and resulting bugs lead to security breaches instead of just broken functionality.
Without a common identity infrastructure across all applications, inconsistent implementations will lead to security vulnerabilities, inconsistent policy enforcement, horrible user experience, and very little visibility into user behavior.
On the other hand, if you provide this identity infrastructure, you free up your developers to do what they do best: create application functionality.
Various approaches exist for organizations to provide identity capabilities to their application developers.
- Agent/Proxy-based: This essentially ‘wraps’ the application in an identity system that intercepts all incoming traffic, authenticates the user and then manages the user’s session (including timeout and step-up authentication). The web application management system passes the user’s information to the application developer as attributes added to the HTTP request.
- Development environment-based integration (provided by application platforms like eclipse, weblogic, and websphere): Those deployments are in turn integrated into an organization’s broader identity platform by their operational teams using standards like SAML.
- API-based: An organization provides a set of identity services that all application developers can use to perform identity functions, and provides a common implementation of these functions across all applications.
Technical limitations of legacy applications lead many organizations to employ a combination of these approaches. In many cases it is very difficult to go back and retrofit existing applications with the common identity library, so a wrapper or proxy-based approach makes more sense. But regardless of the approach, by providing an identity platform that application developers can leverage as they build new applications, organizations can get the visibility and control they need when delivering those applications to customers, employees and partners.