Secure Coding mailing list archives
Installation and setup of secure applications
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Tue, 20 Jan 2004 16:58:25 +0000
All the talk last week here and elsewhere about Personal Firewall Day got me thinking about one of my personal soap boxes -- application installation and setup. After years of seeing countless examples of inadequately installed and configured applications, I became convinced that we don't pay enough attention to this phase of developing secure software, by and large anyway. Plus, I am fully aware that many people don't even agree that this is part of software development per se. What I've seen includes applications installed such that their security is entirely internal to the application. For example, access control in databases, account management, etc., that is handled exclusively by the application. Most OSes and file systems have access control and/or event logging features that are never tapped by application developers and installers -- e.g., NTFS can do Access Control Lists (ACL) and can do read/write event logging down to individual files, folders, and even registry keys. Yet, very few applications make use of these features. Sure, there are exceptions that are more closely integrated into their host OS, but they seem to me to be few and far between. More often than not, I hear things like "Oh, that's not my job as a developer." and "We have an operations team that takes care of that." So, my questions here to SC-L are: How much involvement do you believe that software developers should have in installing and configuring their applications in their host environments? Should applications be designed and implemented such that they make extensive use of their host OS security features? Note that I'm not saying that they should _rely_ on it, but should the developers make more use of the capabilities available to them (sometimes at the cost of easy portability) as one of many layers of defense? If so, how much is {enough|too much}? Cheers, Ken van Wyk
Current thread:
- Installation and setup of secure applications Kenneth R. van Wyk (Jan 20)
- Re: Installation and setup of secure applications Burak DAYIOGLU (Jan 20)
- Re: Installation and setup of secure applications Andreas Saurwein (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- Re: Installation and setup of secure applications der Mouse (Jan 20)
- Re: Installation and setup of secure applications Erik van Konijnenburg (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- <Possible follow-ups>
- Installation and setup of secure applications Jean-Francois Poirier (Jan 20)
- Re: Installation and setup of secure applications Damir Rajnovic (Jan 21)
- Re: Installation and setup of secure applications carolyn . ryll (Jan 20)
- Re: Installation and setup of secure applications Andreas Gaupmann (Jan 20)