Unclassified NSA document on .NET 2.0 Framework Security

[gem at cigital.com (Gary McGraw)]

Sadly this non-adoption of privileged/managed code (filled with blank stares) has been the case ever since the Java 
security days a decade ago.  One of the main challenges is that developers have a hard time thinking about the 
principle of least privilege and its implications regarding the capabilities they should request.  Dinis is brave to 
set such thinking as a target.  I've settled (after ten years) with getting developers just to utter the word 
"security."

All together now..."security".

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 11/24/08 12:31 PM, "Mike Lyman" <mlyman-cissp at comcast.net> wrote:

Dinis Cruz wrote:
> Don't get me wrong, this is a great document if one is interested in
> writing applications that use CAS (Code Access Security), I would love
> for this to be widely used.

When we recommended recommending CAS during a review of the U.S. Defense
Information System Agency's new Application Security and Development
Security Technical Implementation Guide earlier this year we were met
with what amounted to blank stares. (At least it seemed like that since
it was a phone conference.) Some on the call understood it and agreed
with the recommendation but those hosting the call and doing the writing
didn't seem to grasp it. It may be a while before we see too many
adopting this or requiring it for a while.
--

Mike Lyman
mlyman at west-point.org

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________