Secure Coding mailing list archives
Unclassified NSA document on .NET 2.0 Framework Security
From: gem at cigital.com (Gary McGraw)
Date: Mon, 24 Nov 2008 17:34:18 -0500
Sadly this non-adoption of privileged/managed code (filled with blank stares) has been the case ever since the Java security days a decade ago. One of the main challenges is that developers have a hard time thinking about the principle of least privilege and its implications regarding the capabilities they should request. Dinis is brave to set such thinking as a target. I've settled (after ten years) with getting developers just to utter the word "security." All together now..."security". gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 11/24/08 12:31 PM, "Mike Lyman" <mlyman-cissp at comcast.net> wrote: Dinis Cruz wrote:
Don't get me wrong, this is a great document if one is interested in writing applications that use CAS (Code Access Security), I would love for this to be widely used.
When we recommended recommending CAS during a review of the U.S. Defense Information System Agency's new Application Security and Development Security Technical Implementation Guide earlier this year we were met with what amounted to blank stares. (At least it seemed like that since it was a phone conference.) Some on the call understood it and agreed with the recommendation but those hosting the call and doing the writing didn't seem to grasp it. It may be a while before we see too many adopting this or requiring it for a while. -- Mike Lyman mlyman at west-point.org _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Unclassified NSA document on .NET 2.0 Framework Security Romain Gaucher (Nov 22)
- Unclassified NSA document on .NET 2.0 Framework Security Dinis Cruz (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Mike Lyman (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Gary McGraw (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gary McGraw (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Message not available
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
- Regional differences in software security Gary McGraw (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Mike Lyman (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Dinis Cruz (Nov 24)