Secure Coding mailing list archives
Unclassified NSA document on .NET 2.0 Framework Security
From: dinis at ddplus.net (Dinis Cruz)
Date: Mon, 24 Nov 2008 11:33:59 +0000
So does this mean that the NSA is recommending .NET applications to be develop so that they can be executed in partially trusted environments? (i.e. not in full trust?) Last time I check just about everybody was developing Full Trust .NET applications (did this change in the last year?) Don't get me wrong, this is a great document if one is interested in writing applications that use CAS (Code Access Security), I would love for this to be widely used. But all great recommendations, like for example: "... Recommendation: Only grant the File IO access permissions Read, Write, or Append to code that is trusted not to allow unauthorized access to file system resources. Grant File IO access to the most restrictive set of files and folders possible. Do not grant File IO access to file system roots or other broadly specified resources simply because they contain a few scattered files of interest. ...", page 17 "... Recommendation: In following with least privilege, grant the Data Protection permission to the most restrictive set of permissions possible....", page 26 "... Recommendation: The Socket Access permission should only be granted to highly trusted code or code that originates from the local network (evidenced by a strong name withservices....", page 28 "... Recommendation: The Allow Calls to Unmanaged Assemblies permission should be granted only to code that is trusted to execute with the same privileges as the user's account under which the code is running. ...", page 48 only mean anything on partially-trusted environment (i.e. non-full trust applications). Dinis Cruz On Sat, Nov 22, 2008 at 10:24 PM, Romain Gaucher <rgaucher at cigital.com>wrote:
All, The NSA has just unclassified a 300 pages document about .NET 2.0 security http://www.nsa.gov/snac/app/I731-008R-2006.pdf I think it can be interesting resource, --Romain Romain Gaucher Security Consultant Cigital, http://www.cigital.com Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20081124/35367981/attachment.html
Current thread:
- Unclassified NSA document on .NET 2.0 Framework Security Romain Gaucher (Nov 22)
- Unclassified NSA document on .NET 2.0 Framework Security Dinis Cruz (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Mike Lyman (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Gary McGraw (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gary McGraw (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Message not available
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Mike Lyman (Nov 24)
- Unclassified NSA document on .NET 2.0 Framework Security Dinis Cruz (Nov 24)