Re: .Net Satisfies Security Compliance Satistactions or Not ???



What, an email stating that he wants to get paid by Microsoft to do an
audit, or you mean the link to a year-old email where he states that he has
not looked at the 2.0 specs? Or are you referring to the reference to the
default full-trust model where one can control processes running under .Net
with the ever-so-slight caveat of having to be able to upload scripts to the
server and have permission to run them? THOSE vulnerabilities? ;)

t


On 7/28/06 7:28 AM, "Nicolas Malbranche" <nmalbranche@xxxxxxxxx> spoketh to
all:

I don't know what security standards the original poster is talking about
either, but as for problems in regards to security, how about this?
http://www.owasp.org/index.php/Microsoft%27s_%27Full_Trust_ASP.NET_in_IIS_6.
0_is_Insecure_by_Design%2C_by_Default_and_in_Deployment%27_Internal_White_Pa
per



-----Original Message-----
From: Rocky [mailto:rocky.he@xxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 27, 2006 5:01 PM
To: shyaam@xxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: .Net Satisfies Security Compliance Satistactions
or Not ???

Hi,
Well, aside from the fact that your post is obviously Anti
Microsoft despite your claim....

Actually the .NET Framework is quite secure. Don't confuse
developers writing insecure applications with .NET to mean
that .NET isn't secure. SANS is known for being very selective
in it's fact reporting, which most places are so I'm not
singling them out.

Can you give any specific examples of where .NET itself is not
adhering to the standards you mentioned so we can address them?

.NET actually enables less experienced developers to write far
more secure code than if they were writing in pure C++. It
offers experienced developers a way to write powerful and
secure applications with far less code that it would take to
write the equivalent secure code in C/C++ and in some cases Java.

I think perhaps you may have been mislead, although I am very
curious to see what standards .NET is reportedly not up to
scratch with. I'm pretty familiar with a lot of them. The few
that do exist aren't standards but guidelines. I happen to
know that Microsoft is working with several other
organizations to create some secure coding standards as well.

RH


---------------------------------------------------------------------------
---------------------------------------------------------------------------






---------------------------------------------------------------------------
---------------------------------------------------------------------------