Skip to main content

Losing control of your web application in the world of nearshore IT model

In this post, I will share with you a story about why it is so important to be aware of any 3rd parties dependencies and how you manage the ownership and access control to them.

Context
Starting a few years ago it becomes widespread to integrate your web application with 3rd parties identity providers like Facebook, Google or Twitter. From the consumer perspective, it is more straightforward to have only one identify and use it on multiple web application versus having different accounts and password for each application.
Let’s take Facebook as an example where to be able to do such an integration you need to create a Facebook App that it is used as the authentification and authorization layer for your app. The application can be created by a normal Facebook Account that becomes the Administrator of the Facebook App.

In most of the cases, the company that owns the web application does not have IT capabilities and use an external company to implement the web application and manage the Facebook account. Everything is going as planned until in the moment the company decides to change the IT provider that manages the web application.
In general, you have a contract with the IT provider that it is offering IT services. The source code of the web application it is own by you, the custom DNS name and HTTPS certificates are own by you also, the same thing applies for other dependencies. However, you might forget to add in the contract the 3rd parties applications, that from an ethical perspective are own by the customer. The perfect example here is the Facebook App. Why? Because the IT company might claim the rights on it and give you headaches once you are not their customer anymore.

Scenario

This is the following case that I had to manage:

  • A company is subcontracting an IT company to develop a Web Application. 
  • The Web Application authentication and authorization mechanism it is only based on Facebook.
  • A Facebook Application is created to handle this by the IT company. 
  • From the IT company, an employee is using his own personal account to create and manage the Facebook App.
  • The web application goes live for a while
  • The customer decides to change the IT company that offers support

BOOOMMM!!!!

This is the moment when things become ugly. The previous IT company disable the Facebook application. Guess what? The web application becomes unusable, and the customer is losing money.
After long discussions, they are accepting to enable the Facebook App for 30 days, but they are refusing to add as an administrator of the Facebook, the real owner of the Facebook App.
Remember: It is important to know that an administrator of a Facebook App can add another administrator. Besides this, an administrator can remove the previous administrators.
Even if creating a new app might be a solution, because you cannot migrate users from one Facebook App to another, you cannot do a user’s migrations. Using user email address that you already store in the web application you might find solutions to link a new user registration with previous data. These come at an extra cost and a risk to do something wrong and have users that don’t have the old data merged with the new account. It can become a disaster when users are paying a monthly fee to have access to the web application, and you need to do manual actions to merge the accounts. These risks combine with a high volume of users (let’s say 50.000 unique register users) it’s a good receipt for disaster.

Lesson learned
From a contractual point of view you shall always ensure that besides source code, all 3rd party applications and systems are own by the customer and not by the IT company that offers support. In this way, from a legal perspective, you can secure the Facebook Application that it is own by you (the customer) and not by the IT company that you subcontracted.

Additional to this on all 3rd party systems you should manage them using dedicated accounts and not a personal account. In the case of Facebook App, you need to create a Facebook Account that is owned by the customer and has full rights to the Facebook App. Depending on the policy that you want to use you might share the account with the IT company or add additional administrators to the app.

Conclusion
The most important thing that needs to be done is to ensure that you the 3rd party applications are managed using accounts and channels that are own by the customer and not by IT company that is offering support. The legal owner of the system shall ensure that has full control over their systems.

Comments

Popular posts from this blog

Windows Docker Containers can make WIN32 API calls, use COM and ASP.NET WebForms

After the last post , I received two interesting questions related to Docker and Windows. People were interested if we do Win32 API calls from a Docker container and if there is support for COM. WIN32 Support To test calls to WIN32 API, let’s try to populate SYSTEM_INFO class. [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_INFO { public uint dwOemId; public uint dwPageSize; public uint lpMinimumApplicationAddress; public uint lpMaximumApplicationAddress; public uint dwActiveProcessorMask; public uint dwNumberOfProcessors; public uint dwProcessorType; public uint dwAllocationGranularity; public uint dwProcessorLevel; public uint dwProcessorRevision; } ... [DllImport("kernel32")] static extern void GetSystemInfo(ref SYSTEM_INFO pSI); ... SYSTEM_INFO pSI = new SYSTEM_INFO(...

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine: threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration: TeamCity .NET 4.51 EF 6.0.2 VS2013 It see...

Navigating Cloud Strategy after Azure Central US Region Outage

 Looking back, July 19, 2024, was challenging for customers using Microsoft Azure or Windows machines. Two major outages affected customers using CrowdStrike Falcon or Microsoft Azure computation resources in the Central US. These two outages affected many people and put many businesses on pause for a few hours or even days. The overlap of these two issues was a nightmare for travellers. In addition to blue screens in the airport terminals, they could not get additional information from the airport website, airline personnel, or the support line because they were affected by the outage in the Central US region or the CrowdStrike outage.   But what happened in reality? A faulty CrowdStrike update affected Windows computers globally, from airports and healthcare to small businesses, affecting over 8.5m computers. Even if the Falson Sensor software defect was identified and a fix deployed shortly after, the recovery took longer. In parallel with CrowdStrike, Microsoft provi...