Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Sadly this non-adoption of privileged/managed code (filled with blank stares) has been the case ever since the Java security days a decade ago. One of the main challenges is that developers have a hard time thinking about the principle of least privilege and its implications regarding the capab

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

maybe the problem with least privilege is that it requires that developers: 1. define the entire universe of subjects and objects 2. define all possible access rights 3. define all possible relationships 4. apply all settings 5. figure out how to keep 1-4 in synch all the time do all of this be

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Sorry I didn't realize "developers" is an offensive ivory tower in other parts of the world, in my world its a compliment. -gunnar On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote: > HI, > > "maybe the problem with least privilege is that it requires that > developers:..." > > IMHO, y

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

HI, "maybe the problem with least privilege is that it requires that developers:..." IMHO, your US/UK ivory towers don't exist in other parts of the world. Developers have no say in what they do. Nor, do they care about software security and why should they care? So, at least, change your nomenc

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Gunnar, Developers have no power. You should be talking to the decision makers. As an example, to instill the importance of software security, I talk to decision makers: project managers, architects, CTOs (admittedly, this is a blurred line - lots of folks call themselves architects). If I go to

[SC-L] Opportunity at DTCC

Greetings SC-L, I've been asked to allow a job posting here on SC-L. It certainly doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php ), but then again, we've generally not used SC-L for job listings. And then again++, with the economy

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

And don't forget the Paul Karger paper from Oakland, which applies access controls to executables and effectively provides implementations for Saltzer-Schroeder's least privilege and more: @InProceedings{Karger87, Key="Karger", Author="P.A. Karger", Title="Limiting the Damage Potential of Discre

[SC-L] Software Assist to Find Least Privilege

It be difficult to determine a priori the settings for all the access control lists and other security parameters that one must establish for CAS to work. Perhaps a software assist would work according to the following scenario. Run the program in the environment in which it will actually be u

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Hi Stephen, I don't think I belong in the dog house with gunnar on this one (though if I have to share the dog house gunnar would be a decent compatriot). Please re-read my post and you will see that I "gave up" on the Dinis quest though I have lots of respect for what Dinis wants to accomplis

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

look, i am a consultant. i work in lots of different companies. lots of different projects. i don't see these distinctions in black and white. sometimes the cto and managers are best positioned to help companies develop more secure software, sometimes architects, sometimes auditors, and man

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

It's a real cop-out for you guys, as titans in the industry, to go after developers. I'm disappointed in both of you. And Gary, you said "One of the main challenges is that developers have a hard time thinking about the principle of least privilege ". Developers are NEVER asked to think about the

[SC-L] The problem with (Java's) Security Policy (Was: Unclassified NSA document on .NET 2.0 Framework Security)

Hi all! I agree with Gunnar on this one. 2008-11-25 18.00, Gunnar Peterson wrote: > maybe the problem with least privilege is that it requires that > developers: > > 1. define the entire universe of subjects and objects > 2. define all possible access rights > 3. define all possible relationshi

Re: [SC-L] Software Assist to Find Least Privilege

On Tue, 25 Nov 2008, Mark Rockman wrote: > Assuming this is repeated for every use case, the resulting > reports would be a very good guide to how CAS settings should be > established for production. Of course, everytime the program is changed > in any way, the process would have to be repeated.

Re: [SC-L] Software Assist to Find Least Privilege

It seems we've come full circle, because what you are describing is managed code (or privileged code depending on your Java vs .NET vocabulary). In full on managed code, the code describes what it needs and the machine decides whether that coheres with local policy. gem company www.cigita

Re: [SC-L] Software Assist to Find Least Privilege

At 12:26 PM -0500 11/25/08, Mark Rockman wrote: > It be difficult to determine a priori the settings for all the access >control lists and other security parameters that one must establish for >CAS to work. Perhaps a software assist would work according to the >following scenario. Run the progra

Re: [SC-L] Software Assist to Find Least Privilege

Aaron Margosis' "Non-Admin" WebLog : LUA Buglight 2.0, second preview: http://blogs.msdn.com/aaron_margosis/archive/2008/11/06/lua-buglight-2-0-second-preview.aspx Mark Rockman wrote: > It be difficult to determine /a priori/ the settings for all the > access control lists and other security pa

Re: [SC-L] The problem with (Java's) Security Policy (Was: Unclassified NSA document on .NET 2.0 Framework Security)

Has anyone had experience using Sword4J to determine permissions? http://www.alphaworks.ibm.com/tech/sword4j >From the site: "The Authorization Analysis functionality determines which authorizations are needed in order to run Java code when a SecurityManager is enabled. The Privilege Code Analysis

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Why shouldn't they be asked to think about it? Especially now. I do. I install Vista and find out how many of my apps don't like it. Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why should I as an Admin have to care about this stuff after Developers that don't care about

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson <[EMAIL PROTECTED]>wrote: > > but actually the main point of my post and the one i would like to > hear people's thoughts on - is to say that attempting to apply > principle of least privilege in the real world often leads to drilling > dry wells. i

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

Security is a tradeoff game between risk and cost in my experience. So the "least privilege" question comes down to practical matters like knowing the execution environment, knowing the requirements of the tasks being executed, and knowing where those intersect with the ability of the user or appl

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

stephen i spend at least half my time working directly with developers. for some reason i have not communicated as well as i should to you, what i am saying is that the job is too hard for developers *because* the security industry has let them down by sending them on a fool's errand of lea

Re: [SC-L] Software Assist to Find Least Privilege

I've always thought systrace was nifty http://www.citi.umich.edu/u/provos/systrace/ It's on a different level than .net/java, but I don't see why something like that couldn't be built in to the CLR. As to developers vs management, unless there is high level support for security, developers are al

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

At 10:57 AM -0800 11/25/08, Andy Steingruebl wrote: > On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson ><[EMAIL PROTECTED]> wrote: > > > but actually the main point of my post and the one i would like to > hear people's thoughts on - is to say that attempting to apply > pr