Whenever I speak with a customer or any software decision makers, I
implore them, before buying another vendor's software, or
hiring/contracting a 3rd party development firm, to ask a couple of
simple questions: What do you do for software security?, and Can
you send me some documents about your
Hi Gunnar,
I apologize to everybody if I have come across as being harsh.
From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional Developer Evangelist in 2001 to recently at
Symantec as the
With all due respect, I think this is where the process of secure coding
fails. I think it stems from poor education, but its compounded by an
arrogant cop out that developers have no power. Your view is not alone. I
hear it a lot. And I think its an easy out.
I agree with you that buy in for
At 9:32 PM -0800 11/25/08, Brian Chess wrote:
Larry, I'm not sure I get your meaning. You say you don't think it's a
dry well, but then you say programmers ignore the privilege management
facilities at their disposal.
I mean they ignore it until security overseers (800.53a, PCI DSS,
8500.2
There is a lot of USA firm coding done outside our shores. Thus the
attitude you are reporting impacts the software I am buying both for my
desktop as well as the upcoming cloud applications.
This is the part that concerns me. As a consumer of code when it's in
my possession I am then able
On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:
Hi Gunnar,
I apologize to everybody if I have come across as being harsh.
From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional
Sadly this non-adoption of privileged/managed code (filled with blank stares)
has been the case ever since the Java security days a decade ago. One of the
main challenges is that developers have a hard time thinking about the
principle of least privilege and its implications regarding the
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
4. apply all settings
5. figure out how to keep 1-4 in synch all the time
do all of this
Sorry I didn't realize developers is an offensive ivory tower in
other parts of the world, in my world its a compliment.
-gunnar
On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:
HI,
maybe the problem with least privilege is that it requires that
developers:...
IMHO, your US/UK
HI,
maybe the problem with least privilege is that it requires that developers:...
IMHO, your US/UK ivory towers don't exist in other parts of the world.
Developers have no say in what they do. Nor, do they care about
software security and why should they care?
So, at least, change your
Gunnar,
Developers have no power. You should be talking to the decision makers.
As an example, to instill the importance of software security, I talk
to decision makers: project managers, architects, CTOs (admittedly,
this is a blurred line - lots of folks call themselves architects). If
I go to
And don't forget the Paul Karger paper from Oakland, which applies access
controls to executables and effectively provides implementations for
Saltzer-Schroeder's least privilege and more:
@InProceedings{Karger87,
Key=Karger, Author=P.A. Karger,
Title=Limiting the Damage Potential of
Hi Stephen,
I don't think I belong in the dog house with gunnar on this one (though if I
have to share the dog house gunnar would be a decent compatriot). Please
re-read my post and you will see that I gave up on the Dinis quest though I
have lots of respect for what Dinis wants to
It's a real cop-out for you guys, as titans in the industry, to go
after developers. I'm disappointed in both of you. And Gary, you said
One of the main challenges is that developers have a hard time
thinking about the principle of least privilege .
Developers are NEVER asked to think about the
Why shouldn't they be asked to think about it? Especially now.
I do. I install Vista and find out how many of my apps don't like it.
Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why
should I as an Admin have to care about this stuff after Developers
that don't care about
On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote:
but actually the main point of my post and the one i would like to
hear people's thoughts on - is to say that attempting to apply
principle of least privilege in the real world often leads to drilling
dry wells. i am
be exceptions, but large apps I'd guess this
to be true).
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
Sent: Tuesday, November 25, 2008 9:49 AM
To: Stephen Craig Evans
Cc: Secure Mailing List
Subject: Re: [SC-L] Unclassified NSA document
So does this mean that the NSA is recommending .NET applications to be
develop so that they can be executed in partially trusted environments?
(i.e. not in full trust?)
Last time I check just about everybody was developing Full Trust .NET
applications (did this change in the last year?)
Don't
Dinis Cruz wrote:
Don't get me wrong, this is a great document if one is interested in
writing applications that use CAS (Code Access Security), I would love
for this to be widely used.
When we recommended recommending CAS during a review of the U.S. Defense
Information System Agency's new
All,
The NSA has just unclassified a 300 pages document about .NET 2.0 security
http://www.nsa.gov/snac/app/I731-008R-2006.pdf
I think it can be interesting resource,
--Romain
Romain Gaucher
Security Consultant
Cigital, http://www.cigital.com
Software Confidence. Achieved.
20 matches
Mail list logo
