RE: .Net Satisfies Security Compliance Satistactions or Not ???

1. If it's not "any feud against M$", you might want to consider not
referring to Microsoft as "M$".

2. No offense to SANS, but even as recently as last week, I've heard things
they've told people about MS software that were last true in 1996. I don't
know if it's an endemic thing in SANS, or if they just have one or two
woefully uninformed people presenting for them, but they have propagated
some complete bulls**t presented as fact and people unfortunately sometimes
just swallow it up rather than verifying for themselves whether the
statements are accurate.

3. To whose "Security compliance standards" do you refer, exactly? There is
not a single set of standards out there for anything computer security

4. To what "vulnerable features" do you refer?

I'm sorry, but your post almost reads like a troll because you don't list a
single specific question, just throw out some FUD about the .NET framework.
If you have some actual questions, please, do ask them and you'll
undoubtedly get some well-informed responses. But what you've written below
is unanswerable because it doesn't actually ask any real questions.


-----Original Message-----
From: shyaam@xxxxxxxxx [mailto:shyaam@xxxxxxxxx]
Sent: Thursday, July 27, 2006 9:53 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: .Net Satisfies Security Compliance Satistactions or Not ???

Hey group,

I attended the SANS conference for .Net security session.
Based on some lecture's and based on my search findings at
internet search engines, I wanted to ask if .NET cannot
comply to the Security compliance standards at all. Various
issues involved with the vulnerable features of .Net
framework scares the hell out of the Security Developers
around the world, who are involved with .Net framework. Did
any security group consider making any updates and releasing
it to M$, has anyone contacted them yet, any progress on
fixing these issues and bringing it into compliance.

Sorry if that involved a lot of questions in a single email
:-) Was just curious to know what is going around.


PS: this is not any feud against M$ and I am just trying to
learn more about this. Please dont respond to this email
thinking that I belong to some anti-M$ gang, I am requesting
as it has happened before. I need more input and hence I am
posting in this group.



Relevant Pages

  • Re: [Full-disclosure] CISSP Test
    ... > certificate that demonstrates ability to work in the security arena, ... > While CISSP and SANS are great to have as a resume filter, ... >> otherwise) that SANS no longer has any NON PROFIT portion left. ...
  • Re: Security Certifications for SOC team
    ... vendor specific material. ... SANS doesn't sell tools. ... However, again, their focus in on their own training and certification ... ISS, HP ASC, Ernst & Young, Verizon Business Security Professional ...
  • RE: [Full-disclosure] CISSP Test
    ... demonstrates ability to work in the security arena, ... While CISSP and SANS are great to have as a resume filter, ... that anyone with either certificate to their name can actually do the work. ... >otherwise) that SANS no longer has any NON PROFIT portion left. ...
  • RE: OPST vs CEH
    ... Actually I never claimed that SANS was the end all be all of security training. ... that training be OPST, CEH, or other. ... The answer I gave described the courses I ...
  • RE: Advice on security certifications (CPTS yes or no)
    ... The most prestigious are the SANS GIAC GSE's. ... CPTS Certified Pen Testing Specialist and then CPTE Certified Pen ... Advice on security certifications ... Are there any certifications that are better than CPTS? ...