[Owasp-leaders] Generating Passwords Hopw

Jeff Williams jeff.williams at aspectsecurity.com
Tue Jan 20 23:38:49 EST 2009


Hi,

I have been working with Sun and the rest of the Servlet team to get
some better security into the Java Servlet 3.0 specification for the
last year or so. While it has been interesting and somewhat productive,
it is *extremely* difficult to get them to acknowledge the idea that
their APIs need to change for security. I heard every excuse you can
think of (compatibility, performance, usability, complexity, insanity,
etc...). Anyway, while I think the goal is good, I'm not optimistic
about the prospects for just "providing feedback."  I'm leaning towards
the ESAPI approach of providing safe wrappers or replacements for unsafe
methods.

--Jeff

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern,
James F (HTSC, IT)
Sent: Tuesday, January 20, 2009 9:50 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw

 The rationale for me throwing this out was several fold:

1. For whatever reason, I think I made this habit from reading Elliot
Rusty Harold books on network programming.
2. I have been on a rant in the blogosphere regarding the security of
identity federation and all the new ways it exposes weak application
security approaches
3. Since I saw this style in Java, I wonder if there is merit in a
project that walks the JDK and CLR respectively and provides feedback on
weak APIs (e.g. Readline) such that MS and Sun can help champion better
ones while also deprecating weaker ones.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Marco M.
Morana
Sent: Saturday, January 17, 2009 6:40 PM
To: Rogan Dawes; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw

Rogan

thanks for your follow up and corrections on my previous email.

I actually posted what was discussed on my blog herein
http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-
string.html

I welcome your comments in light of the shared knowledge

Thanks & Regards

Marco M.

----- Original Message -----
From: "Rogan Dawes" <rogan at dawes.za.net>
To: <owasp-leaders at lists.owasp.org>
Cc: "Marco M. Morana" <marco.m.morana at gmail.com>
Sent: Friday, January 16, 2009 3:17 PM
Subject: Re: [Owasp-leaders] Generating Passwords


> Marco M. Morana wrote:
>>
>> Sorry slip by typo in previous email...meant "streing or char are
>> immutable" as an object whose state cannot be altered after it has
been
>> initiated, 0.00 Cents...
>>
>> Regards
>>
>> marco
>
> char[] is hardly immutable.
>
> for (int i=0; i<chars.length; i++) {
>  chars[i] = 0;
> }
>
> You can't do that with String, hence the recommendation to use char[]
> for passwords/sensitive information.
>
> Strings also get internalized (saved in an internal cache), which
means
> that even when you set the variable to null, the actual String object
> may never be garbage collected.
>
> Anyway, Pravir's suggestion to do a risk assessment is a good one.
>
> Rogan
> 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list