Sadly this non-adoption of privileged/managed code (filled with blank stares)
has been the case ever since the Java security days a decade ago. One of the
main challenges is that developers have a hard time thinking about the
principle of least privilege and its implications regarding the
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
4. apply all settings
5. figure out how to keep 1-4 in synch all the time
do all of this
Sorry I didn't realize developers is an offensive ivory tower in
other parts of the world, in my world its a compliment.
-gunnar
On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:
HI,
maybe the problem with least privilege is that it requires that
developers:...
IMHO, your US/UK
HI,
maybe the problem with least privilege is that it requires that developers:...
IMHO, your US/UK ivory towers don't exist in other parts of the world.
Developers have no say in what they do. Nor, do they care about
software security and why should they care?
So, at least, change your
Gunnar,
Developers have no power. You should be talking to the decision makers.
As an example, to instill the importance of software security, I talk
to decision makers: project managers, architects, CTOs (admittedly,
this is a blurred line - lots of folks call themselves architects). If
I go to
Greetings SC-L,
I've been asked to allow a job posting here on SC-L. It certainly
doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php
), but then again, we've generally not used SC-L for job listings.
And then again++, with the
And don't forget the Paul Karger paper from Oakland, which applies access
controls to executables and effectively provides implementations for
Saltzer-Schroeder's least privilege and more:
@InProceedings{Karger87,
Key=Karger, Author=P.A. Karger,
Title=Limiting the Damage Potential of
Hi Stephen,
I don't think I belong in the dog house with gunnar on this one (though if I
have to share the dog house gunnar would be a decent compatriot). Please
re-read my post and you will see that I gave up on the Dinis quest though I
have lots of respect for what Dinis wants to
It's a real cop-out for you guys, as titans in the industry, to go
after developers. I'm disappointed in both of you. And Gary, you said
One of the main challenges is that developers have a hard time
thinking about the principle of least privilege .
Developers are NEVER asked to think about the
Hi all!
I agree with Gunnar on this one.
2008-11-25 18.00, Gunnar Peterson wrote:
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
On Tue, 25 Nov 2008, Mark Rockman wrote:
Assuming this is repeated for every use case, the resulting
reports would be a very good guide to how CAS settings should be
established for production. Of course, everytime the program is changed
in any way, the process would have to be repeated.
DREAM
It seems we've come full circle, because what you are describing is managed
code (or privileged code depending on your Java vs .NET vocabulary). In full
on managed code, the code describes what it needs and the machine decides
whether that coheres with local policy.
/DREAM
gem
At 12:26 PM -0500 11/25/08, Mark Rockman wrote:
It be difficult to determine a priori the settings for all the access
control lists and other security parameters that one must establish for
CAS to work. Perhaps a software assist would work according to the
following scenario. Run the program
Aaron Margosis' Non-Admin WebLog : LUA Buglight 2.0, second preview:
http://blogs.msdn.com/aaron_margosis/archive/2008/11/06/lua-buglight-2-0-second-preview.aspx
Mark Rockman wrote:
It be difficult to determine /a priori/ the settings for all the
access control lists and other security
Has anyone had experience using Sword4J to determine permissions?
http://www.alphaworks.ibm.com/tech/sword4j
From the site: The Authorization Analysis functionality determines
which authorizations are needed in order to run Java code when a
SecurityManager is enabled. The Privilege Code Analysis
Why shouldn't they be asked to think about it? Especially now.
I do. I install Vista and find out how many of my apps don't like it.
Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why
should I as an Admin have to care about this stuff after Developers
that don't care about
On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote:
but actually the main point of my post and the one i would like to
hear people's thoughts on - is to say that attempting to apply
principle of least privilege in the real world often leads to drilling
dry wells. i am
Security is a tradeoff game between risk and cost in my experience. So
the least privilege question comes down to practical matters like
knowing the execution environment, knowing the requirements of the tasks
being executed, and knowing where those intersect with the ability of
the user or
18 matches
Mail list logo
