Re: .Net Satisfies Security Compliance Satistactions or Not ???



What, an email stating that he wants to get paid by Microsoft to do an
audit, or you mean the link to a year-old email where he states that he has
not looked at the 2.0 specs? Or are you referring to the reference to the
default full-trust model where one can control processes running under .Net
with the ever-so-slight caveat of having to be able to upload scripts to the
server and have permission to run them? THOSE vulnerabilities? ;)

t


On 7/28/06 7:28 AM, "Nicolas Malbranche" <nmalbranche@xxxxxxxxx> spoketh to
all:

I don't know what security standards the original poster is talking about
either, but as for problems in regards to security, how about this?
http://www.owasp.org/index.php/Microsoft%27s_%27Full_Trust_ASP.NET_in_IIS_6.
0_is_Insecure_by_Design%2C_by_Default_and_in_Deployment%27_Internal_White_Pa
per



-----Original Message-----
From: Rocky [mailto:rocky.he@xxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 27, 2006 5:01 PM
To: shyaam@xxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: .Net Satisfies Security Compliance Satistactions
or Not ???

Hi,
Well, aside from the fact that your post is obviously Anti
Microsoft despite your claim....

Actually the .NET Framework is quite secure. Don't confuse
developers writing insecure applications with .NET to mean
that .NET isn't secure. SANS is known for being very selective
in it's fact reporting, which most places are so I'm not
singling them out.

Can you give any specific examples of where .NET itself is not
adhering to the standards you mentioned so we can address them?

.NET actually enables less experienced developers to write far
more secure code than if they were writing in pure C++. It
offers experienced developers a way to write powerful and
secure applications with far less code that it would take to
write the equivalent secure code in C/C++ and in some cases Java.

I think perhaps you may have been mislead, although I am very
curious to see what standards .NET is reportedly not up to
scratch with. I'm pretty familiar with a lot of them. The few
that do exist aren't standards but guidelines. I happen to
know that Microsoft is working with several other
organizations to create some secure coding standards as well.

RH


---------------------------------------------------------------------------
---------------------------------------------------------------------------






---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Mark Daniel and/or Hein van den Huevel or anyone really
    ... people start accepting de-facto standards as ... Of course, on the part of Microsoft, it is intentional ... claimed you needed to use a "more secure" web browser: ...
    (comp.os.vms)
  • RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
    ... there is no A/V software for Linux that protects ... Of course, many of them do run A/V software, but it's to protect Windows ... In today's environment, software *must* be secure first, with usability added ... Microsoft systems take the opposite approach, ...
    (Full-Disclosure)
  • Re: Security and the User experience
    ... just one secure token. ... Microsoft, Apple, *nix can say all they like, but the consumer will simply ... implement any security and/or just have no clue about security on their PC. ... The OS will then query the authority whenever ...
    (microsoft.public.security)
  • Re: IIS issues? OWA?
    ... In steps one after you uncheck Require secure channel and Require ... Right click Exchange under Default Web Site and select Properties. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Future of IT in Lebanon
    ... - if a program that starts secure does not change then chances are that it remains secure ... Windows security has been breached, therefore there's no reason to believe that the problem can get worse on Linux, giving time and inclination. ... Personally, I think that position is unfair and does not take into consideration the simple fact that Microsoft made the industry, ... having a spec and publishing a spec are different notions. ...
    (soc.culture.lebanon)