Would you want to ad any ACL ability or attributes for Meta-Data on objects?
or would that ACL be on a different object?
-Original Message-
From: William Herrera [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 12:20 AM
To: [EMAIL PROTECTED]
Subject: [SC-L] ACL (access control l
FYI this is part of a notice that went out to financial institutions
recently.
Complete Financial Institution Letter:
http://www.fdic.gov/news/news/financial/2004/fil12104.html
Highlights:
Management is responsible for ensuring that commercial off-the-shelf
(COTS) software packages and vendo
Isn't the base problem residing in this essentially flawed statement:
"Widely deployed open source software is commonly believed to contain
fewer security vulnerabilities than similar closed source software due
to the possibility of unrestricted third party source code auditing."
To have fewer bu
My slogan:
Unsecured Applications = Unsecured Business
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Epstein
Sent: Monday, July 17, 2006 8:46 AM
To: Secure Coding Mailing List
Subject: Re: [SC-L] "Bumper sticker" definition of secure software
I
The right answer is both IMO. You need the thinkers, integrators, and
operators to do it right. The term Security Professional at its basic
level simply denotes someone who works to make things secure.
You can't be secure with only application security any more than you can
be secure with only f
" And answering that correctly requires input from the customer. Which
we (TINW) won't have until customers recognize a need for security and
get enough clue to know what they want to be secure against."
I can't exactly agree with this as there is a distinction (or should be
IMO) between security
IMO (IANAL) this is a position that is increasingly untenable as we move
forward, especially in the consumer markets. As a customer I do, in
fact, expect software to operate "correctly" (per features and functions
promised / contracted) but also "securely" in that is doesn't contain
bugs or insecu
IMO the path to changing the dynamics for secure coding will reside in
the market, the courts, and the capacity of the software industry to
measure and test itself and to demonstrate the desired properties of
security, quality, and suitability for purpose. In today's market we do
well in suitabili
It seems like this exchange is focused on whether bug / flaw classes can
be applied to "All" programming languages or not. Isn't the question at
hand which languages have the property "Subject to bug / flaw class XXX"
(true | false), and not whether you can find one or more class that fits
the "Al
Security is a tradeoff game between risk and cost in my experience. So
the "least privilege" question comes down to practical matters like
knowing the execution environment, knowing the requirements of the tasks
being executed, and knowing where those intersect with the ability of
the user or appl
10 matches
Mail list logo
