About the Risk Associated with "Build Your Own Security"

Developers don't always immediately identify the security measures they need for an application within the security toolset provided by a platform or built into a framework. As a result, "build your own security" is not uncommon among development projects. This is especially true if the application is a replacement of an existing system that uses its own non-standard security infrastructure. An example for this is database based authentication and authorization in combination with user provisioning and granting access to resources at runtime.

The risk associated with building your own security is that you are also responsible for quality assurance of the security layer, application security propagation and single sign-on, as well as bug fixing and maintenance of the security layer. Not all developers are security experts, but experts are a necessity to build a custom security layer.

We recommend allocating time to investigate and implement existing, well vetted security solutions. Applying existing solutions to custom applications may be easier and more cost-effective than creating custom mechanisms that may offer less protection in their incipient phases.