Security is a tradeoff game between risk and cost in my experience. So
the least privilege question comes down to practical matters like
knowing the execution environment, knowing the requirements of the tasks
being executed, and knowing where those intersect with the ability of
the user or
It seems like this exchange is focused on whether bug / flaw classes can
be applied to All programming languages or not. Isn't the question at
hand which languages have the property Subject to bug / flaw class XXX
(true | false), and not whether you can find one or more class that fits
the All
IMO the path to changing the dynamics for secure coding will reside in
the market, the courts, and the capacity of the software industry to
measure and test itself and to demonstrate the desired properties of
security, quality, and suitability for purpose. In today's market we do
well in
IMO (IANAL) this is a position that is increasingly untenable as we move
forward, especially in the consumer markets. As a customer I do, in
fact, expect software to operate correctly (per features and functions
promised / contracted) but also securely in that is doesn't contain
bugs or insecure
And answering that correctly requires input from the customer. Which
we (TINW) won't have until customers recognize a need for security and
get enough clue to know what they want to be secure against.
I can't exactly agree with this as there is a distinction (or should be
IMO) between security
The right answer is both IMO. You need the thinkers, integrators, and
operators to do it right. The term Security Professional at its basic
level simply denotes someone who works to make things secure.
You can't be secure with only application security any more than you can
be secure with only
FYI this is part of a notice that went out to financial institutions
recently.
Complete Financial Institution Letter:
http://www.fdic.gov/news/news/financial/2004/fil12104.html
Highlights:
Management is responsible for ensuring that commercial off-the-shelf
(COTS) software packages and
