Secure Coding mailing list archives
Re: [WEB SECURITY] On sandboxes, and why you should care
From: gwc at acm.org (George Capehart)
Date: Thu, 25 May 2006 22:08:01 -0400
Dinis Cruz wrote: <snip>
After my explanations in this email do you still think that this is correct? Or can you accept now that it is possible to build a Sandboxed environment that is able to protect against the majority of the serious security issues that affect web apps today? If you do accept that it is possible to build such sandboxes, then we need to move to the next interesting discussion, which is the 'HOW' Namely, HOW can an environment be created where the development and deployment of such Sandboxes makes business sense.
Hola Dinis, The <snip>ped part of your message was one of the best, most concise discussions of sandboxes and their potential I have ever seen. It has stimulated a lot of thinking on my part . . . sandboxes and their role in systems architecture just haven't been on my radar screen. It is obvious that you have spent serious time and thought on the subject. I'm thinking that I could count on my two hands the number of people who have given sandboxing the amount of thought and effort you have. If, along the way, you have made any notes or captured your thoughts in any way, it would be of great benefit to the community if you were to share them with us. I say this because I'm not a dumb guy, and, after spending a /*lot*/ of time thinking about what you're saying, I can begin to appreciate your approach. There are many people (especially pointy-haired managers) who are not going to sit up until midnight with a glass of wine reading and rereading your comments until they kinda, sorta, get an idea of your vision. I think that it is important that the community understand your framework and think about it when they're coding. If you were to write a "Sandboxes for Dummies," I would make it required reading for all Java and .Net (and for that matter, all other) programmers. You're /*way*/ ahead of the crowd here. My $0.02. Best regards, George Capehart
Current thread:
- Re: [WEB SECURITY] On sandboxes, and why you should care Dinis Cruz (May 23)
- Re: [WEB SECURITY] On sandboxes, and why you should care Andrew van der Stock (May 24)
- Re: [WEB SECURITY] On sandboxes, and why you should care George Capehart (May 25)
- Re: [WEB SECURITY] On sandboxes, and why you should care Stephen de Vries (May 25)
- Re: [WEB SECURITY] On sandboxes, and why you should care Jeff Williams (May 26)