Re: [SC-L] how far we still need to go
Many folks have talked about certification of individuals but is there merit in noodling the notion of a security maturity model? What if end-customers could rank their software vendors in a transparent manner in the same way that outsourcing firms pursue CMMi? The notion of third-party assessors that determine this form of certification could be supplemental revenue for those who are employed by consulting firms. Could be similar to SCRUMAlliance certification if you prefer something lighter weight. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ljknews Sent: Wednesday, July 25, 2007 10:23 PM To: SC-L@securecoding.org Subject: Re: [SC-L] how far we still need to go At 2:03 AM +0100 7/26/07, Dinis Cruz wrote: It's a simple economics problem. The moment these companies and developers lose sales (or market share) because their products require admin / root privileges to run, is the moment they start to REALLY support it. For Windows that day might be when they have to run under the new US federal government standard Windows configuration, due out any month now. -- Larry Kilgallen * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
At 2:03 AM +0100 7/26/07, Dinis Cruz wrote: It's a simple economics problem. The moment these companies and developers lose sales (or market share) because their products require admin / root privileges to run, is the moment they start to REALLY support it. For Windows that day might be when they have to run under the new US federal government standard Windows configuration, due out any month now. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] how far we still need to go
I was trying out a new web service that permits sharing files from the desktop to others online. It does seem a bit dodgy, but I was curious about how it worked. Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the /Applications area), but I need to run it as admin. After a few e-mails to the developers I get the following response: the only other thing that I can suggest is to install it (and run it) in an admin account. Starting from scratch. I'll have to log it as an issue that non-admin users can't install it (I've honestly never created a non-admin account on OS X and I guess no one else here has either because we didn't think of it!) I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ... I'm still in shock. And I weep for the species. -Bill Anderson http://praxis101.com/blog/ smime.p7s Description: S/MIME Cryptographic Signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote: Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the / Applications area), but I need to run it as admin. Maddening, isn't it? I maintain that this is a software issue, insofar as how the software is bolted into its operating environment. Many disagree with that point of view, which I can accept, but I believe that to pass this off to the ops guys is a bad practice that borders on negligence. Even for those who disagree with me, I still would argue that it's largely under the control of the developer to be able to bolt the code into a safe operating environment -- that promotes the principle of least privilege effectively. One of my customers uses -- and hence, so do I -- VPN software and a software one-time token (SoftToken) that requires the SoftToken.app software to have read/write access to its folder under /Applications on OS X. The presumption was that it would always be run as root. Well, I've gone out of my way to run my desktop OS X user without privs, which broke SoftToken (it would generate the same token EVERY time it was invoked). I still wouldn't accept running it as root, however, and was able to circumvent the problem by only giving my desktop user read/write to the one data file that SoftToken needed to write to. Still not as good as designing it properly in the first place, but it was an acceptable compromise for me to be able to do what I need to do. FWIW... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
It's a simple economics problem. The moment these companies and developers lose sales (or market share) because their products require admin / root privileges to run, is the moment they start to REALLY support it. And the reason why there isn't such REAL demand (with the exception of crazy security dudes like us and the poor unlucky guys who actually GOT attacked) is because the attackers are not exploiting the fact that these apps need admin / root. And if the attackers are not exploiting it, the customers are not losing money, and if the customers are not losing money they will not demand more secure systems. So its good news, we are still safe, since the Risk is quite low :) Btw, at OWASP we are trying to organize an OWASP Day to coincide with the Global Security Week. See http://www.owasp.org/index.php/OWASP_Day for more details and please feel free to get involved :) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 7/25/07, William L. Anderson [EMAIL PROTECTED] wrote: I was trying out a new web service that permits sharing files from the desktop to others online. It does seem a bit dodgy, but I was curious about how it worked. Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the /Applications area), but I need to run it as admin. After a few e-mails to the developers I get the following response: the only other thing that I can suggest is to install it (and run it) in an admin account. Starting from scratch. I'll have to log it as an issue that non-admin users can't install it (I've honestly never created a non-admin account on OS X and I guess no one else here has either because we didn't think of it!) I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ... I'm still in shock. And I weep for the species. -Bill Anderson http://praxis101.com/blog/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
BB, well yes I did gloss over the OS X admin and Unix root diffs. And I agree that the install does create the first user as admin. That's a problematic scenario. Furthermore, I probably know too much, because I knew I wanted to create an ordinary user acc't in addition to admin on my personal machine. And I know enough to add the ordinary user to the sudoer list, so I can get admin privileges when I want. This is definitely way too much work for someone who just wants to use the computer. But I still expect developers to know the difference and build their apps so that ordinary folk can install them. But, then ordinary folk need to know the difference between admin and ordinary. ... Uh oh, I'm getting a headache. Thanks for the clarification. -Bill Blue Boar wrote: William L. Anderson wrote: I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ... I'm still in shock. And I weep for the species. Are you confusing the Mac specifics? Admin on OS X is not the same as root. Members of the Admin group can elevate privs to do things as the equivalent of root, and the Admin group can write to /Applications. The app in question could improve, of course, but the fact the Admin has so much power and that the first user you create is a member of that group is the fault of OS X. (At least, that's the way it worked not too long ago, Apple does seem to occasionally fix these things over time.) BB smime.p7s Description: S/MIME Cryptographic Signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
William L. Anderson wrote: I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ... I'm still in shock. And I weep for the species. Are you confusing the Mac specifics? Admin on OS X is not the same as root. Members of the Admin group can elevate privs to do things as the equivalent of root, and the Admin group can write to /Applications. The app in question could improve, of course, but the fact the Admin has so much power and that the first user you create is a member of that group is the fault of OS X. (At least, that's the way it worked not too long ago, Apple does seem to occasionally fix these things over time.) BB ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___