What, an email stating that he wants to get paid by Microsoft to do an audit, or you mean the link to a year-old email where he states that he has not looked at the 2.0 specs? Or are you referring to the reference to the default full-trust model where one can control processes running under .Net with the ever-so-slight caveat of having to be able to upload scripts to the server and have permission to run them? THOSE vulnerabilities? ;)
t On 7/28/06 7:28 AM, "Nicolas Malbranche" <[EMAIL PROTECTED]> spoketh to all: > I don't know what security standards the original poster is talking about > either, but as for problems in regards to security, how about this? > http://www.owasp.org/index.php/Microsoft%27s_%27Full_Trust_ASP.NET_in_IIS_6. > 0_is_Insecure_by_Design%2C_by_Default_and_in_Deployment%27_Internal_White_Pa > per > > > >> -----Original Message----- >> From: Rocky [mailto:[EMAIL PROTECTED] >> Sent: Thursday, July 27, 2006 5:01 PM >> To: [EMAIL PROTECTED]; [email protected] >> Subject: RE: .Net Satisfies Security Compliance Satistactions >> or Not ??? >> >> Hi, >> Well, aside from the fact that your post is obviously Anti >> Microsoft despite your claim.... >> >> Actually the .NET Framework is quite secure. Don't confuse >> developers writing insecure applications with .NET to mean >> that .NET isn't secure. SANS is known for being very selective >> in it's fact reporting, which most places are so I'm not >> singling them out. >> >> Can you give any specific examples of where .NET itself is not >> adhering to the standards you mentioned so we can address them? >> >> .NET actually enables less experienced developers to write far >> more secure code than if they were writing in pure C++. It >> offers experienced developers a way to write powerful and >> secure applications with far less code that it would take to >> write the equivalent secure code in C/C++ and in some cases Java. >> >> I think perhaps you may have been mislead, although I am very >> curious to see what standards .NET is reportedly not up to >> scratch with. I'm pretty familiar with a lot of them. The few >> that do exist aren't standards but guidelines. I happen to >> know that Microsoft is working with several other >> organizations to create some secure coding standards as well. >> >> RH > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
