It seems to hold true that any tool can have a good and a bad use. In a recent attacks, Google was used as a support mechanism for spreading a virus and defacing web sites.
While there isn’t anyone who can guarentee that a particular package or product won’t be vulnerable, it does pay to ensure that whoever you get your software from has a track record or providing patches quickly when this kind of thing occurs. If not then make sure you figure out how you will patch the stuff yourself.
A recent article about a security flaw in the new Google Desktop Beta should serve as another reminder that you should never use beta software on production machines. The rule for me has always gone that if I would be upset by a total rebuild of the box, then only tested and finished software should be installed. I admit that I love the new stuff myself, but if you dance with the devil don’t be surprised if you get burned.
MS has made available a preview of the Member Management Component that you can use to build into .Net 1.1 sample applications. It isn’t exactly what will be released with VS.Net 2005, but it gives you something to play with so you can get used to the new model.
Be advised that it seems that it doesn’t seem to be licensed for production use. If that interpretation is correct then it means that this is just something to play with in advance of VS.Net 2005 and can’t be built into any real applications.
Who owns the passwords that you or your users use to access your network or application?
If you don’t know, then you have a problem. Your users hopefully memorize their passwords, but therein lies the rub. If an accountant has gone to the trouble of memorizing a complex password then they are very likely to be tempted to use that password for other systems. Maybe the corner hardware store’s web site requires registration. If they use the same username and password that works on your systems and top it off with entering the company email address then your security now depends on the security of the corner hardware store’s web site security (provided it isn’t actually run by a hacker)!
Tell your users in writing that the passwords they use at work are company property and must not be used on any other systems. Put it in writing like any other company policy and ensure they know that failure to comply is a terminable offense (and mean it). If you don’t then forget about security, it won’t help you in the end.