Secure Coding mailing list archives
Re: Installation and setup of secure applications
From: Andreas Saurwein <saurwein () uniwares com>
Date: Tue, 20 Jan 2004 21:08:59 +0000
At 20/1/2004 13:28 Tuesday, you wrote: Plus, I am fully aware that many people don't even agree that this is part of software development per se. I'm on your side. How much involvement do you believe that software developers should have in installing and configuring their applications in their host environments? Most developers I have come to know so far, hardly master the language they are programming in, less the operating system their programs will run on. And, focusing on Windows NT (2000, XP, 2003), security is not an easy task. How many programmers can you name who know what is an ACL, ACE, or process token? How many of these few know how to atually use it in their applications? Even if companies would start to pay more attention to "security related knowledge" when they look for employees, they still have to deal with the fact that writting a secure program is a much bigger effort. Another hurdle is the fact that nowadays everybody wants to be "portable" and support at least two completely different operating systems. This means you have to write double code, wrapper libraries, have more people who know more things. Should applications be designed and implemented such that they make extensive use of their host OS security features? Note that I'm not saying that they should _rely_ on it, but should the developers make more use of the capabilities available to them (sometimes at the cost of easy portability) as one of many layers of defense? If so, how much is {enough|too much}? Yes they should be designed to make extensive use of the OS and its features. The few that do it already are successful applications. There is just the big danger to "rely" on the security of the OS without knowing it and thus unknowingly adding securityholes to the application. As for the setup progress... I think anyone who every used any of the popular setup programs is aware that they have absolutly no support for any kind of security. They hardly support proper installation/deinstallation. So you end up writting all this security related setup code yourself. Which brings us back to the points raised before. cheers Andreas
Current thread:
- Installation and setup of secure applications Kenneth R. van Wyk (Jan 20)
- Re: Installation and setup of secure applications Burak DAYIOGLU (Jan 20)
- Re: Installation and setup of secure applications Andreas Saurwein (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- Re: Installation and setup of secure applications der Mouse (Jan 20)
- Re: Installation and setup of secure applications Erik van Konijnenburg (Jan 20)
- Re: Installation and setup of secure applications Jose Nazario (Jan 20)
- <Possible follow-ups>
- Installation and setup of secure applications Jean-Francois Poirier (Jan 20)
- Re: Installation and setup of secure applications Damir Rajnovic (Jan 21)
- Re: Installation and setup of secure applications carolyn . ryll (Jan 20)
- Re: Installation and setup of secure applications Andreas Gaupmann (Jan 20)