Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Blog posts on Ideas for a Partial Trust Managed Code World

From: dinis at ddplus.net (Dinis Cruz)
Date: Tue, 6 Mar 2007 00:13:22 +0000
The posts linked bellow are a variation of an email that I sent to 4 senior
technical Microsoft employees (two from .NET Security and two from the MS
Office security)  before I had a lunch meeting with them last Friday (2nd
March 2007)

As with all my previous meetings/lunches with Microsoft employees, it was an
interesting intellectual discussion but with no tangible results or
actionable actions since they (and Microsoft) don't believe that Partial
Trust Managed Code is a valid solution/approach. I also think that I need to
speak with their bosses, but unfortunately their bosses are not talking to
me


   - On Microsoft's lack of Partial Trust Managed Code (PTMC) focus and
   ideas for the
future<http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/>-
In this post I start by doing a quick analysis for the current 'head
in
   the sand' response, and defend that in order for the changes to have real
   impact we will need impovements in 6 areas:  Technological, Political,
   Strategical, Economical, Social and Educational

   - 'Security Awareness Modes' & the 'day Microsoft
changes'<http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/>-
Here I introduce an interesting concept of 4 Awareness Modes which I
think
   are good ways to describe company's awareness to the security issues that
   they face. The 4 modes are: 'Blissful ignorance', 'The Patching
   Dance', 'The SDL Dream and 'The Alignment'

   - Roadmap to a Partial Trust Managed Code
world<http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/>-
here I propose a time-line for the migration from the current 'all
   unmanaged/Full Trust world'

And before you shot-down this ideas (which are not short term btw), please
propose solutions for protecting our assets from malicious code executed
under our (and the applications) run-time environments.

The bottom line is, that currently (and it seems in the future) our main
security defense mechanism is our ability to prevent malicious code from
being executed in our environments (and if you think this is easy to
prevent, just make a quick list of all the applications and plug-ins
(containing external code) that are currently running in your desktop,
servers and web environments)

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070306/8730e2ec/attachment.html
Previous By Date Next
Previous By Thread Next

Current thread: