[Owasp-leaders] Generating Passwords

Pravir Chandra chandra at list.org
Fri Jan 16 02:45:41 EST 2009


Hey Jim.

Again, for any sort of server-side software, I largely agree.

However, I've definitely written up findings such as this in an
architecture review because it was indeed a relevant vulnerability
based on the business purpose of the software under review (I'm more
than happy to discuss those circumstances if anyone is interested).
Overall, the point I was making is that you must judge the risk of
such an attack based on the context of the software in question. So
albeit a nit, I disagree in the blanket statement that this is "never
an issue" and would amend it to something more like "rarely an issue"
:)

p.

On Thu, Jan 15, 2009 at 11:31 PM, Jim Manico
<jim.manico at aspectsecurity.com> wrote:
> Pravir,
>
> I would dare say that even in shared enviornments, that securing your use of passwords while they sit in ram in a JVM is very low on the criticality chart compared to the OWASP top 10 and other issues that ESAPI addresses. Even with a partially trusted enviornment - unless you are REALLY getting everything else right - don't worry about it. (Now you still need to encrypt data at rest - this is NOT data at rest, this is data *during operation* sitting in ram)
>
> But then again, if you are in a non-trusted or partially trusted enviornment, well, should that kind of enviornment really be used for highly critical data?
>
> End of the day - I think this is never an issue - and there is always bigger secure-architecture-fish to fry : even in applets!
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security(tm)
> Securing your applications at the source
> http://www.aspectsecurity.com
>
> ________________________________
>
> From: owasp-leaders-bounces at lists.owasp.org on behalf of Pravir Chandra
> Sent: Thu 1/15/2009 6:30 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Generating Passwords
>
>
>
> I completely agree with Jim with respect to server-side apps. However, its important to keep in mind your threat model when considering code in other environments. For instance, it could be a valid concern for environments with partially trusted administrators or for code in appliance systems that must be resistant to reverse engineering.
>
> p.
>
> ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
> Pravir Chandra                      chandra<at>list<dot>org
> PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
> ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
>
> -----Original Message-----
> From: "Jim Manico" <jim.manico at aspectsecurity.com>
>
> Date: Thu, 15 Jan 2009 19:19:09
> To: <owasp-leaders at lists.owasp.org>; <owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] Generating Passwords
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>



-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~


More information about the OWASP-Leaders mailing list