Dinis Cruz wrote: <snip>
> After my explanations in this email do you still think that this is > correct? Or can you accept now that it is possible to build a Sandboxed > environment that is able to protect against the majority of the serious > security issues that affect web apps today? > > If you do accept that it is possible to build such sandboxes, then we > need to move to the next interesting discussion, which is the 'HOW' > > Namely, HOW can an environment be created where the development and > deployment of such Sandboxes makes business sense. > Hola Dinis, The <snip>ped part of your message was one of the best, most concise discussions of sandboxes and their potential I have ever seen. It has stimulated a lot of thinking on my part . . . sandboxes and their role in systems architecture just haven't been on my radar screen. It is obvious that you have spent serious time and thought on the subject. I'm thinking that I could count on my two hands the number of people who have given sandboxing the amount of thought and effort you have. If, along the way, you have made any notes or captured your thoughts in any way, it would be of great benefit to the community if you were to share them with us. I say this because I'm not a dumb guy, and, after spending a /*lot*/ of time thinking about what you're saying, I can begin to appreciate your approach. There are many people (especially pointy-haired managers) who are not going to sit up until midnight with a glass of wine reading and rereading your comments until they kinda, sorta, get an idea of your vision. I think that it is important that the community understand your framework and think about it when they're coding. If you were to write a "Sandboxes for Dummies," I would make it required reading for all Java and .Net (and for that matter, all other) programmers. You're /*way*/ ahead of the crowd here. My $0.02. Best regards, George Capehart _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php