During the state of the blog update two weeks ago, I mentioned that Shadow Nation was slated for publication on Amazon, where it’s now available, as well as mentioned an open source library designed to make security for smaller applications, or applications that don’t want to use LDAP and maintain more control over how their user credentials work, easier. And that library is now out on GitHub as GuardFish. See, told you I was ready to start getting projects out the door for feedback, and with GuardFish, I’m also hoping for other programmers out there to add their own ideas and incorporate them into their experiments. So if you’re making an app or a website that requires some security and you’re wondering how to get your user and permissions data up and running quickly, here’s what you need to know about GuardFish and its components.
GuardFish.XSM is the DLL where all the main objects live and where the basic logic for logins, authentication, issuing tokens, hashing, and lockouts, is implemented. It helps you perform the basic CRUD operations on your key permission, role, and user objects as well as abstracting all the nitty gritty things like when to lock out a user, for how long, and watch for replay attacks and attempts to access accounts from IP addresses not commonly associated with the user trying to log in. All the default settings can be overriden in your config files to whatever you’d like so if an inspection of the users’ common IP addresses followed by a security question prompt before a login from a new one is allowed sounds like too much work, you have the choice not to do it. But the hashing practices are embedded into GuardFish so you will be using BCrypt for a fairly slow hash, relatively speaking of course, giving you another layer of defense.
GuardFish.XSM.WS is a WCF service wrapper around the GuardFish.XSM DLL so if you want to have multiple UIs use GuardFish for user authentication, you can run this service and hook it up to your UI. It works in concert with a simple access log service that I’ve oh so creatively called AdminLog.RMX which keeps track of what operations were accessed, by whom, and logs errors and exceptions for debugging and audits. One thing to keep in mind is that there is room for you to use the referenced GuardFish.XSM library to make sure only authorized users can modify any data but you should be fine with an allow list that accepts properly formatted requests from your trusted IPs implemented on the server. This way you’re not adding nearly as much overhead as you would with additional code. But again, please, play around and experiment and see what will work for you in your particular setup. If you have a lot of bandwidth, you have a lot of options.
And last but not least, there’s QueryLogic, a key library used by all the other projects to talk to your database. It’s essentially a provider-agnostic wrapper for executing stored procedures and bringing back query results in hash maps. It’s built to be almost as fast as data reader classes, which fetch data and work with it as it comes in, and allows you to simplify your unit testing when you use mockable objects. Just build a QueryLogic hash map, populate it with the data you want to test, and return the result from your mock setup. There’s a catch though. Since the DLLs for stored procedures can be different from setup to setup for Oracle, MySQL, Postgre, etc, what’s available now defaults to a Microsoft SQL command and warns you that another engine has not been implemented yet. But the code is structured in a way that lets you add your provider DLLs, then add your objects and extensions to enable it. Yes, it will take work on your part, but hey, it’s open source and what’s the fun of open source if you can’t modify it as you see fit?
Before wrapping up this post, I believe that an obligatory discalimer is in order. GuardFish is by no means a complete security solution that will stop any hacker and any exploit. There’s no such thing as perfect security because for every better anti-hacking technique, the internet gives us better hackers. What this library does is introduce good security practices recommended by most security experts, and makes them easy to incorporate into your projects. Its goal is to frustrate a hacker by making exploits so time consuming due to tokens and slow hashes that he or she just moves on to a more promising target. Ultimately what you do or don’t do with GuardFish is up to you but I certainly hope you’ll find something interesting in the code and get some good use out of this project. And if you have an idea for how it could be improved, fork it, try it out, and let me know. I’d love to see it and learn something new. If I didn’t like novelty, I wouldn’t be in IT.
[ illustration by VladStudio ]