RE: Application and System Security (was: RE: Honeypot stats)
- From: Kilgallen@xxxxxxxxxxx (Larry Kilgallen)
- Date: 5 Jan 2006 14:51:48 -0600
In article <yndvf.1250$ND4.545@xxxxxxxxxxxxxxxx>, hoff@xxxxxxxxx (Hoff Hoffman) writes:
> Application code that prompts for and verifies and/or that stores
> passwords, or that controls the execution of code, is a risk and is
> an obvious target. When your code is within the TCB, your code is
> a target.
When a participant here gets involved in a meeting discussing plans
to implement application level authentication just go down the list
of authentication safeguards in VMS and ask how the proposed code
will implement each. My absolute favorite is what happens when too
many password changes are made -- it is a familiar shortcoming in
most designs, including a few operating systems. Even the respected
NIST 800-53 document still erroneously says "use a minimum password
lifetime".
.
- References:
- RE: Honeypot stats
- From: Main, Kerry
- RE: Application and System Security (was: RE: Honeypot stats)
- From: Hoff Hoffman
- RE: Honeypot stats
- Prev by Date: Re: Check whether a tape is loaded in DCL?
- Next by Date: Re: RSH timeout
- Previous by thread: RE: Application and System Security (was: RE: Honeypot stats)
- Next by thread: Re: Honeypot stats
- Index(es):
Relevant Pages
|
