Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

["Matt Richard" <matt.richard () gmail com>]

On 11/15/06, dan () geer org <dan () geer org> wrote:
>  | I think the real point here is that the majority of people responsible
>  | for security have a backwards mindset.  Most security practitioners
>  | still don't make the assumption that everything is vulnerable and
>  | design around it.  Of course IIS is vulnerable to an unpublished 0day.
>
>
> so, should one write apps with the assumption that
> will be running on compromised hosts?

When you write applications for a non-trusted platform such as
Windows, Linux, Solaris, OS X, OpenBSD, <your favorite OS> it would be
wise to assume that the host will eventually be compromised.

When it's assumed the host will eventually be compromised the author
may start to include security features that may not have been
considered.

I like the example of tax return software.  All tax return software
that I am aware of outputs your tax return as a PDF/html/etc.  None of
the packages give you the option to protect the documents, presumably
because they assume that if you trust the host enough to enter all
that information than you trust it to hold copies of the information
in the future.

If you assume that the host is not compromised when the user creates
the tax return but will someday be compromised than a different set of
outputs should result.  Apps should take measures to limit the
possible damage once the assumed compromise occurs.

The same holds true of most applications but I'm sure there are corner
cases where that's simply not reasonable or feasible.

-- 
Matt Richard
http://www.mullingsecurity.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave