At 10:57 AM -0800 11/25/08, Andy Steingruebl wrote: > On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson ><<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]> wrote: > > > but actually the main point of my post and the one i would like to > hear people's thoughts on - is to say that attempting to apply > principle of least privilege in the real world often leads to drilling > dry wells. i am not blaming any group in particular i am saying i > think it is in the "too hard" pile for now and we as software security > people should not be advocating for it until or unless we can find > cost effective ways to implement it.
Certainly it is not a dry well. For the operating system I deal with, application programmers _consistently_ ignore the facility provided for fine-grained access to files and leave users with coarse-grained access as their only recourse. Of course I am not talking about .NET 2.0, as others have not restricted their comments to that either. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
