I've always thought systrace was nifty http://www.citi.umich.edu/u/provos/systrace/
It's on a different level than .net/java, but I don't see why something like that couldn't be built in to the CLR. As to developers vs management, unless there is high level support for security, developers are always going to struggle justifying time spent on these things. They are usually under a lot of pressure to get things out the door so the company can start making a buck. In my experience higher levels respond to 2 things, customer demand and regulators. Customers are being more vocal about security, and regulators are slowly waking up. Regulators can be scary though. Self regulation would be best but its unlikely higher ups will sign off on self regulation because its just going to cost them more time and money, and the reality is most corporates do not see software security as part of their core business. On Wed, Nov 26, 2008 at 4:26 AM, Mark Rockman <[EMAIL PROTECTED]> wrote: > It be difficult to determine a priori the settings for all the access > control lists and other security parameters that one must establish for CAS > to work. Perhaps a software assist would work according to the following > scenario. Run the program in the environment in which it will actually be > used. Assume minimal permissions. Each time the program would fail due to > violation of some permission, notate the event and plow on. Assuming this > is repeated for every use case, the resulting reports would be a very good > guide to how CAS settings should be established for production. Of course, > everytime the program is changed in any way, the process would have to be > repeated. > > MARK ROCKMAN > MDRSESCO LLC > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
