On 10/21/2010 05:17 PM, Jim Manico wrote: > I have no problem with server-side Java, especially when using a modern > security > framework like Spring Security or (wait for it) ESAPI.
You forgot the drum roll. > But client-side Java? Flash? > There are a few large organizations who have banned both from their clients > and they are more secure for it. And don't forget to ban Radio ActiveX while you're at it!!! Seriously, banning Flash is likely to get you overthrown by your employees. If they are permitted to cruise the web at all and have been allowed to use Flash applications in the past, trying to ban it is going to fly like a lead balloon. There are too many sites that use it (as well as even more that misuse it). You would receive numerous business units not only complaining about how draconian the measure is, but also how they can't accomplish their jobs because site X, which they need to do their job, uses Flash. Five yrs ago or so, I would have agreed with you, but it's just too prominent now. Also, I'd be willing to bet you a Guinness or two that the vast majority of these PCs that were infected by Flash, PDF, or client-side Java attack vectors are people's home PCs, not corporate ones, even percentage-wise. At least true for large corporations. In a large part, I think that people fail to patch Flash or Acrobat Reader for the same reason they forget about Java...out of sight, out of mind.* I think they believe that Windows Update solves (or should solve) *all* their patching needs. I think many of the Linux distros have it right in that respect...one-stop patching pretty much for whatever you have installed from your Linux provider's distribution channel. I'd love to see Microsoft lay down the law and say this is how you must design your code to be installed and updated, and when you have a new release, push it to MSFT and we'll handle its distribution. Then they could say if you don't adhere to these rules, our OS will not execute your software. (Now that won't fly for many reasons, but I think it would do a whole lot of good for the general populace in terms of keeping patches current.) Unfortunately, I think things have gone too far and RIA is too prevalent that we will have to live with the mess we've created and figure out out to deal with it in ways other than just outright dumping them. -kevin ------------- * And by that, I don't mean an invisible, crazy person. -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________