The posts linked bellow are a variation of an email that I sent to 4 senior technical Microsoft employees (two from .NET Security and two from the MS Office security) before I had a lunch meeting with them last Friday (2nd March 2007)
As with all my previous meetings/lunches with Microsoft employees, it was an interesting intellectual discussion but with no tangible results or actionable actions since they (and Microsoft) don't believe that Partial Trust Managed Code is a valid solution/approach. I also think that I need to speak with their bosses, but unfortunately their bosses are not talking to me - On Microsoft's lack of Partial Trust Managed Code (PTMC) focus and ideas for the future<http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/>- In this post I start by doing a quick analysis for the current 'head in the sand' response, and defend that in order for the changes to have real impact we will need impovements in 6 areas: Technological, Political, Strategical, Economical, Social and Educational - 'Security Awareness Modes' & the 'day Microsoft changes'<http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/>- Here I introduce an interesting concept of 4 Awareness Modes which I think are good ways to describe company's awareness to the security issues that they face. The 4 modes are: 'Blissful ignorance', 'The Patching Dance', 'The SDL Dream and 'The Alignment' - Roadmap to a Partial Trust Managed Code world<http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/>- here I propose a time-line for the migration from the current 'all unmanaged/Full Trust world' And before you shot-down this ideas (which are not short term btw), please propose solutions for protecting our assets from malicious code executed under our (and the applications) run-time environments. The bottom line is, that currently (and it seems in the future) our main security defense mechanism is our ability to prevent malicious code from being executed in our environments (and if you think this is easy to prevent, just make a quick list of all the applications and plug-ins (containing external code) that are currently running in your desktop, servers and web environments) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
