Secure Coding mailing list archives

Unclassified NSA document on .NET 2.0 Framework Security

From: ljknews at mac.com (ljknews)
Date: Tue, 25 Nov 2008 17:44:14 -0400

At 10:57 AM -0800 11/25/08, Andy Steingruebl wrote:

On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson
<<mailto:gunnar at arctecgroup.net>gunnar at arctecgroup.net> wrote:


but actually the main point of my post and the one i would like to
hear people's thoughts on - is to say that attempting to apply
principle of least privilege in the real world often leads to drilling
dry wells. i am not blaming any group in particular i am saying i
think it is in the "too hard" pile for now and we as software security
people should not be advocating for it until or unless we can find
cost effective ways to implement it.


Certainly it is not a dry well.  For the operating system I deal
with, application programmers _consistently_ ignore the facility
provided for fine-grained access to files and leave users with
coarse-grained access as their only recourse.

Of course I am not talking about .NET 2.0, as others have not
restricted their comments to that either.
-- 
Larry Kilgallen

Current thread:

Unclassified NSA document on .NET 2.0 Framework Security, (continued)
- - - Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
    - Message not available
    - Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
    - Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
    - Regional differences in software security Gary McGraw (Nov 26)
    - Regional differences in software security Kenneth Van Wyk (Nov 26)
    - Regional differences in software security Stephen Craig Evans (Nov 26)
    - Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley (Nov 26)
    - Unclassified NSA document on .NET 2.0 Framework Security Jerry Leichter (Nov 26)
    - Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
    - Unclassified NSA document on .NET 2.0 Framework Security Andy Steingruebl (Nov 25)
    - Unclassified NSA document on .NET 2.0 Framework Security ljknews (Nov 25)
    - Unclassified NSA document on .NET 2.0 Framework Security Shea, Brian A (Nov 25)
    - Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley, CPA (Nov 25)
    - Unclassified NSA document on .NET 2.0 Framework Security Dana Epp (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Peter G. Neumann (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security ljknews (Nov 26)