Secure Coding mailing list archives
Unclassified NSA document on .NET 2.0 Framework Security
From: ljknews at mac.com (ljknews)
Date: Wed, 26 Nov 2008 09:33:07 -0400
At 9:32 PM -0800 11/25/08, Brian Chess wrote:
Larry, I'm not sure I get your meaning. You say you don't think it's a dry well, but then you say programmers ignore the privilege management facilities at their disposal.
I mean they ignore it until security overseers (800.53a, PCI DSS, 8500.2 evaluators) come by and force them to fix it.
At 10:57 AM -0800 11/25/08, Andy Steingruebl wrote:On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson <<<mailto:gunnar at arctecgroup.net>gunnar at arctecgroup.net>mailto:gunnar at arctecgroup.net>gunnar at arctecgroup.net> wrote: but actually the main point of my post and the one i would like to hear people's thoughts on - is to say that attempting to apply principle of least privilege in the real world often leads to drilling dry wells. i am not blaming any group in particular i am saying i think it is in the "too hard" pile for now and we as software security people should not be advocating for it until or unless we can find cost effective ways to implement it.Certainly it is not a dry well. For the operating system I deal with, application programmers _consistently_ ignore the facility provided for fine-grained access to files and leave users with coarse-grained access as their only recourse.
So attempting to apply it is not a dry well and not too hard - just typically done as a retrofit due to political rather than techical circumstance. I had a friend who was working on software where multi-million dollar accounts failed to balance correctly. That defect got considerable management attention. The same _could_ be done for security. -- Larry Kilgallen
Current thread:
- Regional differences in software security, (continued)
- Regional differences in software security Stephen Craig Evans (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Jerry Leichter (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Andy Steingruebl (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security ljknews (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Shea, Brian A (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley, CPA (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Dana Epp (Nov 25)