Hosting Provided By

Re: Writing Secure code

From: John Viega <viega(at)list.org>
Date: Fri Dec 27 2002 - 16:06:51 EST

Matt,

Well, clearly the environment plays a factor. Indeed, we will agree that an environment where there are no SMB shares, the applications I was describing really can be "probably" secure if coded carefully against possible risks from local users, because they don't have any sensitive data themselves to manipulate and they don't introduce a path to escalating privilege on the machine in which they run. In an environment where there's only a single local user, then there really is no issue.

However, when doing audits of the security of an application, we try to assume the absolute worst case deployment environment. That is, you should always be asking yourself about the circumstances that might actually introduce risks you weren't already considering. Often, this will lead you to risk from insiders, including physical security. Usually, such risks aren't in a developer's threat model, even when they should be.

John

On Friday, December 27, 2002, at 03:59 PM, Matt McClellan wrote:

> I would explicitly qualify "not exploitable" as "not exploitable in a
Received on Fri Dec 27 22:39:52 2002

This message: [ Message body ]
Next message: Roger Alexander: "RE: Writing Secure code"
In reply to Matt McClellan: "RE: Writing Secure code"
Next in thread: Bob Bruen: "Re: Writing Secure code"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT