-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kenneth Van Wyk wrote:
>
> On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
>> During our conversation, I made a question to Mr.
>> Hayes similar to this: "Is it possible that only
>> software development process improvements can produce
>> secure s
McGovern, James F (HTSC, IT) wrote:
> Figured I would ask the list a question that I haven't figured out the answer
> to. How have other enterprises that seek architects and developers
> knowleedgable in secure coding software development practices articulated it
> to their internal HR recruitin
Sandboxes for Dummies," I would make it
required reading for all Java and .Net (and for that matter, all other)
programmers.
You're /*way*/ ahead of the crowd here.
My $0.02.
Best regards,
George Capehart
___
Secure Coding mailing list (SC-L)
S
Dinis Cruz wrote:
>
> A couple comment on your article:
>
> /"... .NET has a built-in security model just like Java. //.NET is type
> safe just as Java is type safe. ..."/
>
> This is only correct when .Net is executed under Partial Trust and Java
> with the Security Manager enabled.
>
> In
Gadi Evron wrote:
>
> In other words, it's just Javascript. Do your coding securely. I don't
> like the big buzz. This is nothing new.
Hola Gadi!
*grin* I absolutely agree. It is absolutely not new . . .
>>> The challenge is in helping people to understand what a security
>>> boundary is.
T
Yvan Boily wrote:
> Hi George,
>
> I think a much more eloquent form of what you are saying is that
> validation must be performed each time data crosses a security
> boundary.
Hello Yvan,
I absolutely agree. Wish I'd said it myself . . . :)
>
> The challenge is in helping people to understan
Dinis Cruz wrote:
> I personally think that AJAX has the potential to create very insecure
> applications because it pushes the data validation and authorization layers
> back to the client (i.e. the browser)
>
> "AJAX brings 'Back the Rich Client' and all its security problems"
>
> Kentaro, on
recise. Problem
is, implementing the kind of discipline that the CMM measures is not
easy nor cheap, even though, in the long run, it pays off handsomely.
It typically implies major changes in the way processes are managed, and
that's typically painful. It's also frequently unsuccessful in
On Tuesday 30 November 2004 11:58, Evans, Arian allegedly wrote:
> I've almost completely ignored this thread because like
> George I believe it's the same old broken record I first
> heard Marcus Ranum spin up a decade ago. When it comes to
> this subject I feel like we [security professionals] ar
level problem. It's not going to be solved until the people
giving the orders give orders to "do it right." I know many developers
and project managers who have a clue, but it doesn't matter if they are
not allowed to exercise it.
My 0.02$CURRENCY.
Cheers,
George Capehart
--
George W. Capehart
Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA
"With sufficient thrust, pigs fly just fine." -- RFC 1925
r starters, in no particular order:
>
I have two other items that I'd add to the list. Neither are really
papers, though. One is the NIST Introduction to Computer Security (SP
800-12 at
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.
The other is Bruce Schneier'
seer.ist.psu.edu/
and search on terms like Kerberos, SSL, TLS, IPSec, etc. Then, see
_Applied_Cryptography_ and _Practical_Cryptography . . .
You are absolutely correct that, left unprotected, message passing
systems are subject to *all* *sorts* of attacks. The good news is that
there are lots
On Thursday 04 March 2004 10:17 am, Andreas Saurwein wrote:
> On a somewhat abstract line of thinking, in regards to the latest
> virus outbreaks, one idea came up which might be even useful:
>
> I think that we all agree that the current outbreak of Netsky, Bagle
> and others is mainly because use
at
was built for Web-based applications.
- Probably the most robust implementations are in commercial products
that are built around the SESAME core.
A robust implementation of RBAC for applications is complex. If you
have more questions, I'd be happy to help off-list.
Best regards,
George
14 matches
Mail list logo