RE: Re: Java sandboxing not used much

[Jeremy Epstein <jeremy.epstein () webmethods com>]

I agree with Ches, but need to mention that it's not always that simple.  I
offered my customers (as a no-cost feature) a Java sandbox file for our Java
server product... no one wanted it.  So it wasn't worth the effort to
develop/maintain.

While it's true that we need to make things simpler to use, we *also* need
to motivate users to take advantage of the security features we provide.  If
they don't see the value in using the sandbox.conf, then it won't be used,
even if it only requires a minimal effort.

--Jeremy

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
> Behalf Of Bill Cheswick
> Sent: Thursday, March 11, 2004 3:04 PM
> To: [EMAIL PROTECTED]
> Subject: [SC-L] Re: Java sandboxing not used much
>
>
> > Complex security systems are often completely ignored.
>
> This is definitely a problem with with more-involved security systems.
> At one point I obtained a system that had obtained B1 certification
> to implement a firewall.  The firewall worked fine, but I never
> got the hang of the system administration for the damn thing.
>
> User client-level applications should come with recommended 
> sandbox.conf
> files that will contain them appropriately.  There's already 
> a shortage
> of systems and network security people, and this stuff should be as
> easy as possible.  
>
> ches