Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Whenever I speak with a customer or any software decision makers, I implore them, before buying another vendor's software, or hiring/contracting a 3rd party development firm, to ask a couple of simple questions: "What do you do for software security?", and "Can you send me some documents about your

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote: Hi Gunnar, I apologize to everybody if I have come across as being harsh. >From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional Dev

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

There is a lot of USA firm coding done outside our shores. Thus the attitude you are reporting impacts the software I am buying both for my desktop as well as the upcoming cloud applications. This is the part that concerns me. As a consumer of code when it's in my possession I am then able to

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

At 9:32 PM -0800 11/25/08, Brian Chess wrote: > Larry, I'm not sure I get your meaning. You say you don't think it's a >dry well, but then you say programmers ignore the privilege management >facilities at their disposal. I mean they ignore it until security overseers (800.53a, PCI DSS, 8500.2 e

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Hi Gunnar, I apologize to everybody if I have come across as being harsh. >From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional Developer Evangelist in 2001 to recently at Symantec as the fi

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

With all due respect, I think this is where the process of secure coding fails. I think it stems from poor education, but its compounded by an arrogant cop out that developers have no power. Your view is not alone. I hear it a lot. And I think its an easy out. I agree with you that buy in for desi

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

At 10:57 AM -0800 11/25/08, Andy Steingruebl wrote: > On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson ><[EMAIL PROTECTED]> wrote: > > > but actually the main point of my post and the one i would like to > hear people's thoughts on - is to say that attempting to apply > pr

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

stephen i spend at least half my time working directly with developers. for some reason i have not communicated as well as i should to you, what i am saying is that the job is too hard for developers *because* the security industry has let them down by sending them on a fool's errand of lea

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Stephen Craig Evans Cc: Secure Mailing List Subject: Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security look, i am a consultant. i work in lots of different companies. lots of different projects. i don't see these distinctions in black and white. sometimes the cto and man

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson <[EMAIL PROTECTED]>wrote: > > but actually the main point of my post and the one i would like to > hear people's thoughts on - is to say that attempting to apply > principle of least privilege in the real world often leads to drilling > dry wells. i

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Why shouldn't they be asked to think about it? Especially now. I do. I install Vista and find out how many of my apps don't like it. Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why should I as an Admin have to care about this stuff after Developers that don't care about

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

It's a real cop-out for you guys, as titans in the industry, to go after developers. I'm disappointed in both of you. And Gary, you said "One of the main challenges is that developers have a hard time thinking about the principle of least privilege ". Developers are NEVER asked to think about the

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

look, i am a consultant. i work in lots of different companies. lots of different projects. i don't see these distinctions in black and white. sometimes the cto and managers are best positioned to help companies develop more secure software, sometimes architects, sometimes auditors, and man

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Hi Stephen, I don't think I belong in the dog house with gunnar on this one (though if I have to share the dog house gunnar would be a decent compatriot). Please re-read my post and you will see that I "gave up" on the Dinis quest though I have lots of respect for what Dinis wants to accomplis

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

And don't forget the Paul Karger paper from Oakland, which applies access controls to executables and effectively provides implementations for Saltzer-Schroeder's least privilege and more: @InProceedings{Karger87, Key="Karger", Author="P.A. Karger", Title="Limiting the Damage Potential of Discre

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Gunnar, Developers have no power. You should be talking to the decision makers. As an example, to instill the importance of software security, I talk to decision makers: project managers, architects, CTOs (admittedly, this is a blurred line - lots of folks call themselves architects). If I go to

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

HI, "maybe the problem with least privilege is that it requires that developers:..." IMHO, your US/UK ivory towers don't exist in other parts of the world. Developers have no say in what they do. Nor, do they care about software security and why should they care? So, at least, change your nomenc

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Sorry I didn't realize "developers" is an offensive ivory tower in other parts of the world, in my world its a compliment. -gunnar On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote: > HI, > > "maybe the problem with least privilege is that it requires that > developers:..." > > IMHO, y

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

maybe the problem with least privilege is that it requires that developers: 1. define the entire universe of subjects and objects 2. define all possible access rights 3. define all possible relationships 4. apply all settings 5. figure out how to keep 1-4 in synch all the time do all of this be

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Sadly this non-adoption of privileged/managed code (filled with blank stares) has been the case ever since the Java security days a decade ago. One of the main challenges is that developers have a hard time thinking about the principle of least privilege and its implications regarding the capab

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Dinis Cruz wrote: > Don't get me wrong, this is a great document if one is interested in > writing applications that use CAS (Code Access Security), I would love > for this to be widely used. When we recommended recommending CAS during a review of the U.S. Defense Information System Agency's new A

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

So does this mean that the NSA is recommending .NET applications to be develop so that they can be executed in partially trusted environments? (i.e. not in full trust?) Last time I check just about everybody was developing Full Trust .NET applications (did this change in the last year?) Don't get