Re: [WEB SECURITY] On sandboxes, and why you should care

[gwc at acm.org (George Capehart)]

Dinis Cruz wrote:

<snip>

> After my explanations in this email do you still think that this is
> correct? Or can you accept now that it is possible to build a Sandboxed
> environment that is able to protect against the majority of the serious
> security issues that affect web apps today?
>
> If you do accept that it is possible to build such sandboxes, then we
> need to move to the next interesting discussion, which is the 'HOW'
>
> Namely, HOW can an environment be created where the development and
> deployment of such Sandboxes makes business sense.

Hola Dinis,

The <snip>ped part of your message was one of the best, most concise
discussions of sandboxes and their potential I have ever seen.  It has
stimulated a lot of thinking on my part . . . sandboxes and their role
in systems architecture just haven't been on my radar screen.  It is
obvious that you have spent serious time and thought on the subject.
I'm thinking that I could count on my two hands the number of people who
have given sandboxing the amount of thought and effort you have.  If,
along the way, you have made any notes or captured your thoughts in any
way, it would be of great benefit to the community if you were to share
them with us.  I say this because I'm not a dumb guy, and, after
spending a /*lot*/ of time thinking about what you're saying, I can
begin to appreciate your approach.  There are many people (especially
pointy-haired managers) who are not going to sit up until midnight with
a glass of wine reading and rereading your comments until they kinda,
sorta, get an idea of your vision.  I think that it is important that
the community understand your framework and think about it when they're
coding.  If you were to write a "Sandboxes for Dummies," I would make it
required reading for all Java and .Net (and for that matter, all other)
programmers.

You're /*way*/ ahead of the crowd here.

My $0.02.

Best regards,

George Capehart