Secure Coding mailing list archives
Software Assist to Find Least Privilege
From: peter.werner at gmail.com (Pete Werner)
Date: Wed, 26 Nov 2008 08:51:44 +1100
I've always thought systrace was nifty http://www.citi.umich.edu/u/provos/systrace/ It's on a different level than .net/java, but I don't see why something like that couldn't be built in to the CLR. As to developers vs management, unless there is high level support for security, developers are always going to struggle justifying time spent on these things. They are usually under a lot of pressure to get things out the door so the company can start making a buck. In my experience higher levels respond to 2 things, customer demand and regulators. Customers are being more vocal about security, and regulators are slowly waking up. Regulators can be scary though. Self regulation would be best but its unlikely higher ups will sign off on self regulation because its just going to cost them more time and money, and the reality is most corporates do not see software security as part of their core business. On Wed, Nov 26, 2008 at 4:26 AM, Mark Rockman <mrockman at acm.org> wrote:
It be difficult to determine a priori the settings for all the access control lists and other security parameters that one must establish for CAS to work. Perhaps a software assist would work according to the following scenario. Run the program in the environment in which it will actually be used. Assume minimal permissions. Each time the program would fail due to violation of some permission, notate the event and plow on. Assuming this is repeated for every use case, the resulting reports would be a very good guide to how CAS settings should be established for production. Of course, everytime the program is changed in any way, the process would have to be repeated. MARK ROCKMAN MDRSESCO LLC _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Software Assist to Find Least Privilege Mark Rockman (Nov 25)
- Software Assist to Find Least Privilege Steven M. Christey (Nov 25)
- Software Assist to Find Least Privilege Gary McGraw (Nov 25)
- Software Assist to Find Least Privilege ljknews (Nov 25)
- Software Assist to Find Least Privilege Susan Bradley, CPA (Nov 25)
- Software Assist to Find Least Privilege Pete Werner (Nov 25)
- Software Assist to Find Least Privilege Steven M. Christey (Nov 25)