Secure Coding mailing list archives
RE: Re: Java sandboxing not used much
From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: Thu, 11 Mar 2004 23:50:07 +0000
I agree with Ches, but need to mention that it's not always that simple. I offered my customers (as a no-cost feature) a Java sandbox file for our Java server product... no one wanted it. So it wasn't worth the effort to develop/maintain. While it's true that we need to make things simpler to use, we *also* need to motivate users to take advantage of the security features we provide. If they don't see the value in using the sandbox.conf, then it won't be used, even if it only requires a minimal effort. --Jeremy
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Cheswick Sent: Thursday, March 11, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: [SC-L] Re: Java sandboxing not used muchComplex security systems are often completely ignored.This is definitely a problem with with more-involved security systems. At one point I obtained a system that had obtained B1 certification to implement a firewall. The firewall worked fine, but I never got the hang of the system administration for the damn thing. User client-level applications should come with recommended sandbox.conf files that will contain them appropriately. There's already a shortage of systems and network security people, and this stuff should be as easy as possible. ches
Current thread:
- Re: Java sandboxing not used much Bill Cheswick (Mar 11)
- RE: Re: Java sandboxing not used much Alun Jones (Mar 11)
- <Possible follow-ups>
- RE: Re: Java sandboxing not used much Jeremy Epstein (Mar 11)