[Owasp-leaders] Generating Passwords

Jim Manico jim.manico at aspectsecurity.com
Fri Jan 16 02:31:09 EST 2009

I would dare say that even in shared enviornments, that securing your use of passwords while they sit in ram in a JVM is very low on the criticality chart compared to the OWASP top 10 and other issues that ESAPI addresses. Even with a partially trusted enviornment - unless you are REALLY getting everything else right - don't worry about it. (Now you still need to encrypt data at rest - this is NOT data at rest, this is data *during operation* sitting in ram)
But then again, if you are in a non-trusted or partially trusted enviornment, well, should that kind of enviornment really be used for highly critical data?
End of the day - I think this is never an issue - and there is always bigger secure-architecture-fish to fry : even in applets!
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security(tm)
Securing your applications at the source


From: owasp-leaders-bounces at lists.owasp.org on behalf of Pravir Chandra
Sent: Thu 1/15/2009 6:30 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords

I completely agree with Jim with respect to server-side apps. However, its important to keep in mind your threat model when considering code in other environments. For instance, it could be a valid concern for environments with partially trusted administrators or for code in appliance systems that must be resistant to reverse engineering.


~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: "Jim Manico" <jim.manico at aspectsecurity.com>

Date: Thu, 15 Jan 2009 19:19:09
To: <owasp-leaders at lists.owasp.org>; <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Generating Passwords

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090116/5415ef13/attachment-0001.html 

More information about the OWASP-Leaders mailing list