Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-27 Thread Stephen Craig Evans
Whenever I speak with a customer or any software decision makers, I implore them, before buying another vendor's software, or hiring/contracting a 3rd party development firm, to ask a couple of simple questions: What do you do for software security?, and Can you send me some documents about your

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Stephen Craig Evans
Hi Gunnar, I apologize to everybody if I have come across as being harsh. From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional Developer Evangelist in 2001 to recently at Symantec as the

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Dana Epp
With all due respect, I think this is where the process of secure coding fails. I think it stems from poor education, but its compounded by an arrogant cop out that developers have no power. Your view is not alone. I hear it a lot. And I think its an easy out. I agree with you that buy in for

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread ljknews
At 9:32 PM -0800 11/25/08, Brian Chess wrote: Larry, I'm not sure I get your meaning. You say you don't think it's a dry well, but then you say programmers ignore the privilege management facilities at their disposal. I mean they ignore it until security overseers (800.53a, PCI DSS, 8500.2

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Susan Bradley
There is a lot of USA firm coding done outside our shores. Thus the attitude you are reporting impacts the software I am buying both for my desktop as well as the upcoming cloud applications. This is the part that concerns me. As a consumer of code when it's in my possession I am then able

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread Jerry Leichter
On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote: Hi Gunnar, I apologize to everybody if I have come across as being harsh. From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gary McGraw
Sadly this non-adoption of privileged/managed code (filled with blank stares) has been the case ever since the Java security days a decade ago. One of the main challenges is that developers have a hard time thinking about the principle of least privilege and its implications regarding the

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gunnar Peterson
maybe the problem with least privilege is that it requires that developers: 1. define the entire universe of subjects and objects 2. define all possible access rights 3. define all possible relationships 4. apply all settings 5. figure out how to keep 1-4 in synch all the time do all of this

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gunnar Peterson
Sorry I didn't realize developers is an offensive ivory tower in other parts of the world, in my world its a compliment. -gunnar On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote: HI, maybe the problem with least privilege is that it requires that developers:... IMHO, your US/UK

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Stephen Craig Evans
HI, maybe the problem with least privilege is that it requires that developers:... IMHO, your US/UK ivory towers don't exist in other parts of the world. Developers have no say in what they do. Nor, do they care about software security and why should they care? So, at least, change your

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Stephen Craig Evans
Gunnar, Developers have no power. You should be talking to the decision makers. As an example, to instill the importance of software security, I talk to decision makers: project managers, architects, CTOs (admittedly, this is a blurred line - lots of folks call themselves architects). If I go to

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Peter G. Neumann
And don't forget the Paul Karger paper from Oakland, which applies access controls to executables and effectively provides implementations for Saltzer-Schroeder's least privilege and more: @InProceedings{Karger87, Key=Karger, Author=P.A. Karger, Title=Limiting the Damage Potential of

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gary McGraw
Hi Stephen, I don't think I belong in the dog house with gunnar on this one (though if I have to share the dog house gunnar would be a decent compatriot). Please re-read my post and you will see that I gave up on the Dinis quest though I have lots of respect for what Dinis wants to

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Stephen Craig Evans
It's a real cop-out for you guys, as titans in the industry, to go after developers. I'm disappointed in both of you. And Gary, you said One of the main challenges is that developers have a hard time thinking about the principle of least privilege . Developers are NEVER asked to think about the

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Susan Bradley, CPA
Why shouldn't they be asked to think about it? Especially now. I do. I install Vista and find out how many of my apps don't like it. Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why should I as an Admin have to care about this stuff after Developers that don't care about

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Andy Steingruebl
On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote: but actually the main point of my post and the one i would like to hear people's thoughts on - is to say that attempting to apply principle of least privilege in the real world often leads to drilling dry wells. i am

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Shea, Brian A
be exceptions, but large apps I'd guess this to be true). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson Sent: Tuesday, November 25, 2008 9:49 AM To: Stephen Craig Evans Cc: Secure Mailing List Subject: Re: [SC-L] Unclassified NSA document

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-24 Thread Dinis Cruz
So does this mean that the NSA is recommending .NET applications to be develop so that they can be executed in partially trusted environments? (i.e. not in full trust?) Last time I check just about everybody was developing Full Trust .NET applications (did this change in the last year?) Don't

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-24 Thread Mike Lyman
Dinis Cruz wrote: Don't get me wrong, this is a great document if one is interested in writing applications that use CAS (Code Access Security), I would love for this to be widely used. When we recommended recommending CAS during a review of the U.S. Defense Information System Agency's new