Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security
Why shouldn't they be asked to think about it? Especially now. I do. I install Vista and find out how many of my apps don't like it. Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why should I as an Admin have to care about this stuff after Developers that don't care about it code software? Okay yeah so the management has to have the religion of it but if developers at their core do not care then IMHO I as a consumer of code need to ensure that they do. You can't add it on afterwards, so if the developers doing the coding do not care because ultimately management does not, we still have a fundamental problem in the software industry. Dana Epp's ramblings at the Sanctuary: Introduction to Microsoft's SDL Threat Modeling Tool: http://silverstr.ufies.org/blog/archives/001060.html He's a developer and he cares. And he definitely cares about least priv and ensure that his code doesn't ask anything that it shouldn't. Stephen Craig Evans wrote: > It's a real cop-out for you guys, as titans in the industry, to go > after developers. I'm disappointed in both of you. And Gary, you said > "One of the main challenges is that developers have a hard time > thinking about the principle of least privilege ". > > Developers are NEVER asked to think about the principle of least > privilege. Or your world of software security must be very very very > different from mine (and I think my world at least equals yours but > by about 2 billion people more, which might be irrelevant now but a > little more relevant in the future :-) > > With the greatest, deepest respect to both of you, > Stephen > > On Wed, Nov 26, 2008 at 1:01 AM, Stephen Craig Evans > <[EMAIL PROTECTED]> wrote: > >> Gunnar, >> >> Developers have no power. You should be talking to the decision makers. >> >> As an example, to instill the importance of software security, I talk >> to decision makers: project managers, architects, CTOs (admittedly, >> this is a blurred line - lots of folks call themselves architects). If >> I go to talk about software security to developers, I know from >> experience that I am probably wasting my time. Even if they do care, >> they have no effect overall. >> >> Your target and blame is wrong; that's all that I am saying. >> >> Stephen >> >> On Wed, Nov 26, 2008 at 12:48 AM, Gunnar Peterson >> <[EMAIL PROTECTED]> wrote: >> >>> Sorry I didn't realize "developers" is an offensive ivory tower in other >>> parts of the world, in my world its a compliment. >>> >>> -gunnar >>> >>> On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote: >>> >>> HI, "maybe the problem with least privilege is that it requires that developers:..." IMHO, your US/UK ivory towers don't exist in other parts of the world. Developers have no say in what they do. Nor, do they care about software security and why should they care? So, at least, change your nomenclature and not say "developers". It offends me because you are putting the onus of knowing about software security on the wrong people. Cheers, Stephen On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson <[EMAIL PROTECTED]> wrote: > maybe the problem with least privilege is that it requires that > developers: > > 1. define the entire universe of subjects and objects > 2. define all possible access rights > 3. define all possible relationships > 4. apply all settings > 5. figure out how to keep 1-4 in synch all the time > > do all of this before you start writing code and oh and there are > basically no tools that smooth the adoption of the above. > > i don't think us software security people are helping anybody out in > 2008 by doing ritual incantations of a paper from the mid 70s that may > or may not apply to modern computing and anyhow is riddled with ideas > that have never been implemented in any large scale systems > > compare these two statements > > Statement 1. Saltzer and Schroeder: > "f) Least privilege: Every program and every user of the system should > operate using the least set of privileges necessary to complete the > job. Primarily, this principle limits the damage that can result from > an accident or error. It also reduces the number of potential > interactions among privileged programs to the minimum for correct > operation, so that unintentional, unwanted, or improper uses of > privilege are less likely to occur. Thus, if a question arises related > to misuse of a privilege, the number of programs that must be audited > is minimized. Put another way, if a mechanism can provide "firewalls," > the principle of least privilege provides a rationale for where to > install the firewalls. The military security rule of "need-to-know" is > an example of this principle." > > Statement 2. David Gelernter's Manif
Re: [SC-L] Software Assist to Find Least Privilege
Aaron Margosis' "Non-Admin" WebLog : LUA Buglight 2.0, second preview: http://blogs.msdn.com/aaron_margosis/archive/2008/11/06/lua-buglight-2-0-second-preview.aspx Mark Rockman wrote: > It be difficult to determine /a priori/ the settings for all the > access control lists and other security parameters that one must > establish for CAS to work. Perhaps a software assist would work > according to the following scenario. Run the program in the > environment in which it will actually be used. Assume minimal > permissions. Each time the program would fail due to violation of > some permission, notate the event and plow on. Assuming this is > repeated for every use case, the resulting reports would be a very > good guide to how CAS settings should be established for production. > Of course, everytime the program is changed in any way, the process > would have to be repeated. > > MARK ROCKMAN > MDRSESCO LLC > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
http://media.omediaweb.com/rsa2008/mediaplayerVO.htm?speaker=1_4 And if you want to listen to it, there it is as well. Gunnar Peterson wrote: > Hi Gary, > > I think they are doing it, Cardspace is the key enabling technology to > making it happen. Given how many enterprises are federation-enabled (and > how simply the rest can be), the biggest missing piece right now is that > we need an Identity Provider for the Internets. > > Of course this only helps to solve the access control problem, not the > defensive programming problem, you can still shoot yourself in the foot > with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But > at least it will be nice to have the banks and brokerage houses stop > having people type their username and passwords into web browsers, and > then blaming the consumer when things go amiss. > > -gp > > Gary McGraw wrote: > >> hi sc-l, >> >> Here's an article about Mundie's keynote at RSA. It's worth a read from a >> software security perspective. Somehow I ended up playing the foil in this >> article...go figure. >> >> http://reddevnews.com/features/article.aspx?editorialsid=2470 >> >> So what do you guys think? Is this end-to-end trusted computing stuff going >> to fly with developers? >> >> gem >> >> company www.cigital.com >> podcast www.cigital.com/silverbullet >> blog www.cigital.com/justiceleague >> book www.swsec.com >> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> ___ >> >> >> > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software security != security software
"The problem is that security software vendors including Symantec and McAfee have used the very same techniques for years in the name of good. Antivirus software and personal firewall software pulls all sorts of fancy kernel-interpositioning kung fu." . and for every good. there is also a bad: http://www.securiteam.com/windowsntfocus/6Z0032AH5U.html "The reason we need security software like antivirus tools and personal firewalls is that OSes have traditionally suffered from all kinds of security problems (both bugs and flaws)." Hmmm let's see lately we've had these bugs http://secunia.com/vendor/6/ and these http://secunia.com/vendor/70/ and these http://secunia.com/vendor/56/ and these ones http://secunia.com/vendor/54/ and these http://secunia.com/vendor/51/ and. well you get the idea that it's not just OS's that have security flaws.. sometimes it's the very things we buy to make us secure that have their own issues "Microsoft may be too responsible to manipulate its security defect density intentionally in order to create demand for its security software, but the fact that this is even possible is a great worry. This is like allowing the fox to design and build the henhouse, not just guard it." Microsoft "rogue" developer says in development meeting of Forefront products: "Say... I think I'm going to manipulate security defects just 'cause I want to drive more sales of Forefront products...yeah that's the ticket... " Okay so with tinfoil in place... that's going to need a "Security defect Density Product Manager" (Microsoft doesn't do anything without a PM or two you know), at least an entire WagEd (Waggoner Edstrom [however you spell that] marketing division to do a 'spin' and marketing blitz on how Forefront needs to be the software of choice... numerous conference calls and committee meetings, not to mention a User Interface testing ... etc etc... You know this reminds me of when my Dad would respond to the folks that said that the Government did "fill in the blank" such as kill Kennedy, pretend to go to the moon but really did not, and other assorted odds and ends. 1. From the outside it appears that they are not that well organized to pull something like this off (it took them 5 years to get Vista out the door... do you honestly think that Microsoft can selectively code a "security defect density" without causing some other issue? That the Forefront team gets together with the Vista team and the watercooler and swaps and coordinates places to put defects in? 2. Do you honestly think there wouldn't be some honest whistle blower somewhere that wouldn't be on the Fox News Channel or Oprah in a heartbeat? Is this possible? When our own government put forth evidence of "weapons of mass destruction" and later it comes out there wasn't any...that showcases that people talk and the truth gets out. Maybe I just grew up too much in the era of Watergate and believe too strongly in the power of free speech... but it's a little hard for me to think that someone like MiniMicrosoft wouldn't be screaming their head off if someone in Microsoft even thought of such a thing. Someone would blog. Trust me on that one. Quite frankly, I've been burned a few times with those antivirus companies that have guarded my henhouse and have flagged things as viruses they shouldn't, and have brought my network to it's knees. So even when they were protecting me, I've lost confidence in them too. Right now my biggest concern is that we still aren't caring enough about software security at all. Susan... who's convinced that the bad guys have gotten over these petty turf wars a long time ago and are way more cooperating/coordinating that the good guys are. Gary McGraw wrote: > Hi all, > > The furvor over Microsoft's entry into the security software business is > confusing some people about their software security designs. Or maybe > people who know better are trying to confuse the market??! Note word > order. > > I wrote about this in my latest darkreading column that you can find > here: > http://www.darkreading.com/document.asp?doc_id=112402 > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > > > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility f
