So does this mean that the NSA is recommending .NET applications to be develop so that they can be executed in partially trusted environments? (i.e. not in full trust?)
Last time I check just about everybody was developing Full Trust .NET applications (did this change in the last year?) Don't get me wrong, this is a great document if one is interested in writing applications that use CAS (Code Access Security), I would love for this to be widely used. But all great recommendations, like for example: "... Recommendation: Only grant the File IO access permissions Read, Write, or Append to code that is trusted not to allow unauthorized access to file system resources. Grant File IO access to the most restrictive set of files and folders possible. Do not grant File IO access to file system roots or other broadly specified resources simply because they contain a few scattered files of interest. ...", page 17 "... Recommendation: In following with least privilege, grant the Data Protection permission to the most restrictive set of permissions possible....", page 26 "... Recommendation: The Socket Access permission should only be granted to highly trusted code or code that originates from the local network (evidenced by a strong name withservices....", page 28 "... Recommendation: The Allow Calls to Unmanaged Assemblies permission should be granted only to code that is trusted to execute with the same privileges as the user's account under which the code is running. ...", page 48 only mean anything on partially-trusted environment (i.e. non-full trust applications). Dinis Cruz On Sat, Nov 22, 2008 at 10:24 PM, Romain Gaucher <[EMAIL PROTECTED]>wrote: > All, > The NSA has just unclassified a 300 pages document about .NET 2.0 security > http://www.nsa.gov/snac/app/I731-008R-2006.pdf > > I think it can be interesting resource, > > --Romain > > Romain Gaucher > Security Consultant > Cigital, http://www.cigital.com > Software Confidence. Achieved. > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ >
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________