[Info-vax] BridgeWorks
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Wed Jul 24 08:23:22 EDT 2024
On 2024-07-23, Dave Froble <davef at tsoft-inc.com> wrote:
> On 7/22/2024 1:47 PM, Simon Clubley wrote:
>>
>> One simple example would be that a new form of injection attack is
>> discovered and it is discovered the old applications do not handle
>> it correctly. In addition, and making the problem far worse, the
>> problem may not be in the application code itself, but in one of
>> the language libraries that the application uses.
>
> Ah, Simon, how does any of what you mention get through a secure environment,
> and if it cannot, what does anything matter to what is behind that secure
> environment.
>
The injection attack is usually buried within the data that the "secure"
system processes.
> The real question: is the environment secure?
>
No. You only think it is. There is no such thing as a secure environment.
There is only such a thing as a more-secure environment.
> If the environment is not secure, what difference is there about whether the app
> implementation is supported, whatever that means?
>
Because when it is shown to be insecure, you no longer have the means
to fix the problem, especially if the insecurity is within a language
RTL, or in generated code that you have no direct control over.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list