Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Stephen Craig Evans
Hi Gunnar, I apologize to everybody if I have come across as being harsh. From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional Developer Evangelist in 2001 to recently at Symantec as the

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Dana Epp
With all due respect, I think this is where the process of secure coding fails. I think it stems from poor education, but its compounded by an arrogant cop out that developers have no power. Your view is not alone. I hear it a lot. And I think its an easy out. I agree with you that buy in for

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread ljknews
At 9:32 PM -0800 11/25/08, Brian Chess wrote: Larry, I'm not sure I get your meaning. You say you don't think it's a dry well, but then you say programmers ignore the privilege management facilities at their disposal. I mean they ignore it until security overseers (800.53a, PCI DSS, 8500.2

[SC-L] Regional differences in software security

2008-11-26 Thread Gary McGraw
Hi Stephen (et al), I think this idea of regional differences is worth exploring a bit. In my work at cigital I have come to believe that there is a difference in approach between the east coast of the US and the west coast. The east coast led by financial services firms in NY and Boston has

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Susan Bradley
There is a lot of USA firm coding done outside our shores. Thus the attitude you are reporting impacts the software I am buying both for my desktop as well as the upcoming cloud applications. This is the part that concerns me. As a consumer of code when it's in my possession I am then able

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Jerry Leichter
On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote: Hi Gunnar, I apologize to everybody if I have come across as being harsh. From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional