RE: Credentials held unencrypted in memory during runtime
From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Tue, 12 Apr 2011 08:25:57 -0500
CERT provides secure coding best practices:
Chapter 8 covers "Memory Management", with the following relevant topics:
MEM03-CPP. Clear sensitive information stored in returned reusable resources
Complete with good/bad coding examples.
Rationalizing why something is/is not a security issue by scenario examples or logic of "it would just be easier for an attacker to do X" misses the point and does not foster secure software. Lots of really smart people have chewed on these problems for years and secure coding best practices have been established as a result.
Is the argument that secure coding best practices are wrong?
(BTW, "pervasive memory scraping" is the term being used these days -- apparently the SANS Institute identified this as the top threat for this year. A good Google search will turn up lots of references, and one counter-measure in a defense-in-depth strategy is to ensure in-memory sensitive data is handled appropriately...)
-----Message Disclaimer-----
This e-mail message is intended only for the use of the individual or
Nothing in this message is intended to constitute an Electronic signature
While this communication may be used to promote or market a transaction
------------------------------------------------------
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
|
This is an archived mail posted to the TortoiseSVN Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.