Secure Coding mailing list archives
Re: Installation and setup of secure applications
From: Andreas Saurwein <saurwein () uniwares com>
Date: Tue, 20 Jan 2004 21:08:59 +0000
At 20/1/2004 13:28 Tuesday, you wrote:
Plus, I am fully aware that many people don't even agree that this is part of
software development per se.
I'm on your side.
How much involvement do you believe that software developers should have in
installing and configuring their applications in their host environments?
Most developers I have come to know so far, hardly master the language they
are programming in, less the operating system their programs will run on.
And, focusing on Windows NT (2000, XP, 2003), security is not an easy task.
How many programmers can you name who know what is an ACL, ACE, or process
token? How many of these few know how to atually use it in their applications?
Even if companies would start to pay more attention to "security related
knowledge" when they look for employees, they still have to deal with the
fact that writting a secure program is a much bigger effort.
Another hurdle is the fact that nowadays everybody wants to be "portable"
and support at least two completely different operating systems. This means
you have to write double code, wrapper libraries, have more people who know
more things.
Should applications be designed and implemented such that they make extensive
use of their host OS security features? Note that I'm not saying that they
should _rely_ on it, but should the developers make more use of the
capabilities available to them (sometimes at the cost of easy portability) as
one of many layers of defense? If so, how much is {enough|too much}?
Yes they should be designed to make extensive use of the OS and its
features. The few that do it already are successful applications.
There is just the big danger to "rely" on the security of the OS without
knowing it and thus unknowingly adding securityholes to the application.
As for the setup progress... I think anyone who every used any of the
popular setup programs is aware that they have absolutly no support for any
kind of security. They hardly support proper installation/deinstallation.
So you end up writting all this security related setup code yourself. Which
brings us back to the points raised before.
cheers
Andreas
Current thread:
- Installation and setup of secure applications Kenneth R. van Wyk (Jan 20)
- Re: Installation and setup of secure applications Burak DAYIOGLU (Jan 20)
- Re: Installation and setup of secure applications Andreas Saurwein (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- Re: Installation and setup of secure applications der Mouse (Jan 20)
- Re: Installation and setup of secure applications Erik van Konijnenburg (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- <Possible follow-ups>
- Installation and setup of secure applications Jean-Francois Poirier (Jan 20)
- Re: Installation and setup of secure applications Damir Rajnovic (Jan 21)
- Re: Installation and setup of secure applications carolyn . ryll (Jan 20)
- Re: Installation and setup of secure applications Andreas Gaupmann (Jan 20)