Secure Coding mailing list archives
Re: Installation and setup of secure applications
From: carolyn.ryll () philips com
Date: Tue, 20 Jan 2004 19:30:37 +0000
I believe here is where we actually start to see a distinction between *product* security and *application* security. For instance, if the developers are producing an application such that it will reside on the product (I.e., embedded) before it leaves the door to go to the customer, then full integration with the OS can be seen as acceptable because the application is one part of a whole - integrated into the device. In this case, developers' hands-on configuration, or at least help within the configuration stage, on the device should be seen as necessary. This is because they have full knowledge of what they produced in conjunction with the workings of the rest of the system. In application security (versus product security), we are producing applications that will most likely reside on systems that are configured in any number of ways. That is, dependency on the OS will not produce dependable results. If we produce an application that will work on any version of Windows, we are still producing an application that will work on different operating systems (as not all Windows OS demonstrate the same security vulnerabilities each time). Hence, what we are producing in pure application security cannot really be seen as one part of a whole, but as a layer on top of the underlying functionality (as opposed to product security, where the application is intwined with the remainder of the system). It would also not be possible in many to most cases to have the developer take part of the configuration in this case, due to the mass number of consumers that may utilize the application. Of course there may be arguments against this viewpoint, as exceptions to these scenarios always exist. Kind regards, Carolyn Ryll, CISSP Product Security Specialist *Opinions stated above are my own, and not that of any particular organization, unless so noted.
Current thread:
- Installation and setup of secure applications Kenneth R. van Wyk (Jan 20)
- Re: Installation and setup of secure applications Burak DAYIOGLU (Jan 20)
- Re: Installation and setup of secure applications Andreas Saurwein (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- Re: Installation and setup of secure applications der Mouse (Jan 20)
- Re: Installation and setup of secure applications Erik van Konijnenburg (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- <Possible follow-ups>
- Installation and setup of secure applications Jean-Francois Poirier (Jan 20)
- Re: Installation and setup of secure applications Damir Rajnovic (Jan 21)
- Re: Installation and setup of secure applications carolyn . ryll (Jan 20)
- Re: Installation and setup of secure applications Andreas Gaupmann (Jan 20)