If you don't want us to post thinking you are "anti-M$" then don't use "anti-M$" lingo. It's immature.
What "Security compliance standards" are you referring to? If this is a serious question, then provide specifics. What "various issues involved with vulnerable features" are you talking about? And who are these "Security Developers around the world" who have the hell scared out of them?? Progress fixing WHAT issues? Again, provide specifics rather than some ambiguous references to results of search engines and inferences from some SANS lecturer. The .NET framework provides extensive security mechanisms for developers to leverage in their applications if they choose to do so. But "choose to do so" is the important part. Can a developer choose to send clear-text password information from a web request object to an outbound proxy? Sure they can-- but they can also leverage the System.net "CredentialCache" to set the Credential property of the WebProxy objects to securely and automatically transfer security context information. Can they send and store DB data in the clear? Sure they can-- or they can choose to extensive crypto libs to secure the data in transit and in storage. Can they still concatenate string variables from request forms into SQL statements vulnerable to SQL injection? Yes, if they try hard enough. Or they can use the built in the System.Data.Sqlclient objects (like the SqlDataReader) to automatically check variable types, command syntax, and parameter constraints for command execution. Or XMLReader objects to automatically verify XML syntax. Or StringReaders. Or TextReader and TextWriter objects to security create and manage System.IO operations rather than the "Security Developers" who find that if they try hard enough can still create FileSystemObjects to read/write "web counter" data to the C:\ root. Provide some "real" questions and we'll see if we can help. t On 7/27/06 6:53 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> spoketh to all: > Hey group, > > I attended the SANS conference for .Net security session. Based on some > lecture's and based on my search findings at internet search engines, I wanted > to ask if .NET cannot comply to the Security compliance standards at all. > Various issues involved with the vulnerable features of .Net framework scares > the hell out of the Security Developers around the world, who are involved > with .Net framework. Did any security group consider making any updates and > releasing it to M$, has anyone contacted them yet, any progress on fixing > these issues and bringing it into compliance. > > > Sorry if that involved a lot of questions in a single email :-) Was just > curious to know what is going around. > > > Shyaam > > > PS: this is not any feud against M$ and I am just trying to learn more about > this. Please dont respond to this email thinking that I belong to some anti-M$ > gang, I am requesting as it has happened before. I need more input and hence I > am posting in this group. > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
