Dinis Cruz wrote:
If you do accept that it is possible to build such sandboxes, then we
need to move to the next interesting discussion, which is the 'HOW'
Namely, HOW can an environment be created where the development and
deployment of such Sandboxes makes business sense.
It's the
Dinis Cruz wrote:
snip
After my explanations in this email do you still think that this is
correct? Or can you accept now that it is possible to build a Sandboxed
environment that is able to protect against the majority of the serious
security issues that affect web apps today?
If you do
Dinis,
Sandboxing prevents a machine from having bad system() and buffer
overflows causing system compromise. Sure that's bad enough. However,
sandboxing does not prevent:
* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar