WebApp Sec mailing list archives
Re: applet security
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Mon, 9 Jan 2006 12:14:12 -0500
By definition, the applet will always run in a sandboxed environment with very limited privileges *unless* the user has granted specific privileges to the applet.
-dhs Dean H. Saxe, CEH dean () fullfrontalnerdity com"[U]nconstitutional behavior by the authorities is constrained only by the peoples' willingness to contest them"
--John Perry Barlow
On Jan 9, 2006, at 9:27 AM, Andrew Chong wrote:
Just a quick comment, not thorough though. I believe the auditor concern is on the client-side when the applet is run on the users browser. You can question the auditor concern in what specific areas he is concern with. i.e. does the applet code run in a sand-box? Does the auditor want to do a code review? Does the applet write any files to the user computer? If yes, what are the control to ensure privacy issues. Does the applet send user information back to the your server. If so, what type of information? Finacial, restricted, public available? (data classificaton)Logically, most auditors will ask what are the technically controls andmanagement controls for your server side (servlets, ASP, PERL, CGI) rather than client end. Regards, Andrew Chong, CISSP -----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Monday, January 09, 2006 6:25 PM To: webappsec () securityfocus com Subject: applet security Our auditor advised that controls have to be in place to use applet inweb application. I wonder what kind of controls is available? I searchedowasp but can't find anything. Thanks for any advice.---------------------------------------------------------------------- ---------Watchfire's AppScan is the industry's first and leading web applicationsecurity testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.https://www.watchfire.com/securearea/appscansix.aspx? id=701300000003Ssh ---------------------------------------------------------------------- ------------------------------------------------------------------------------- --------- Watchfire's AppScan is the industry's first and leading web applicationsecurity testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.https://www.watchfire.com/securearea/appscansix.aspx? id=701300000003Ssh ---------------------------------------------------------------------- ---------
-------------------------------------------------------------------------------Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- applet security test . future (Jan 09)
- RE: applet security Andrew Chong (Jan 09)
- Re: applet security Dean H. Saxe (Jan 09)
- RE: applet security Richard M. Smith (Jan 10)
- <Possible follow-ups>
- RE: applet security Jeff Robertson (Jan 09)
- Re: applet security test . future (Jan 11)
- Re: applet security Michael Silk (Jan 11)
- Re: Re: applet security test . future (Jan 12)
- Re: applet security Steve Barnet (Jan 12)
- RE: Re: applet security Andrew Chong (Jan 12)
- Re: Re: applet security test . future (Jan 12)
- RE: applet security Andrew Chong (Jan 09)