Secure Coding mailing list archives
Re: Installation and setup of secure applications
From: "Andreas Gaupmann" <andreas () cms ac>
Date: Tue, 20 Jan 2004 22:50:30 +0000
How much involvement do you believe that software developers should
have in
installing and configuring their applications in their host environments?
I think programmers should try to work together with administrators. These folks know the most about configuration issues. Furthermore, the security policy of a company is supposed to address issues like: - What access control models are considered to be secure? - What information is allowed to be stored unencrypted? In theory developers need not to start from scratch. Also they can't deny their responsibility for enabling secure installation and configuration of applications.
Should applications be designed and implemented such that they make
extensive
use of their host OS security features? Note that I'm not saying that
they
should _rely_ on it, but should the developers make more use of the capabilities available to them (sometimes at the cost of easy
portability) as
one of many layers of defense? If so, how much is {enough|too much}?
The thight integration of OS based security measures with applications is mostly not useful. If you know exactly in which environment the application will run than incorporation is a good thing. If this is not the case then you'll have to consider some points: - What happens if the OS security safeguards are breached? Will then the application also be compromised? - There exist many operating systems. The same can be said in respect to their security features. - Whenever some OS security measures are changed you will have to update your application. Thus, depending solely on OS security features won't be enough. Almost always security features have to exist within applications too. I think that an insecure application is as bad as an insecure OS. A software developer has the chance to make sure that the application isn't the risk. Cheers Andreas Gaupmann
Current thread:
- Installation and setup of secure applications Kenneth R. van Wyk (Jan 20)
- Re: Installation and setup of secure applications Burak DAYIOGLU (Jan 20)
- Re: Installation and setup of secure applications Andreas Saurwein (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- Re: Installation and setup of secure applications der Mouse (Jan 20)
- Re: Installation and setup of secure applications Erik van Konijnenburg (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- <Possible follow-ups>
- Installation and setup of secure applications Jean-Francois Poirier (Jan 20)
- Re: Installation and setup of secure applications Damir Rajnovic (Jan 21)
- Re: Installation and setup of secure applications carolyn . ryll (Jan 20)
- Re: Installation and setup of secure applications Andreas Gaupmann (Jan 20)