db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kathey Marsden <kmarsdende...@sbcglobal.net>
Subject Re: Derby secure by default
Date Tue, 20 Sep 2011 00:28:37 GMT
On 9/19/2011 1:20 PM, José Ventura wrote:
>
> I'm not sure whether making the default value "on" will actually 
> improve security as a whole. If a developer hasn't given thought to 
> security, there are plenty of other pitfalls that may compromise an 
> application (e.g. "where should I store the (previously unneeded yet 
> now required) username and password?").
>
> On the other hand, if s/he did in fact think about security, then odds 
> are that are a simple, concise documentation will point him/her to 
> happily turn on the switch with minimum nuisance, and proceed to 
> secure the rest of the application.
>
I think this is a very good point. The claim of   "secure by default" is 
a very strong claim  and may give a false sense of overall security. 
Some things, like encryption and perhaps stricter security manager 
settings are not part of the default, but might be an important part of 
actually securing a particular application.  I agree it is good for the 
application developer to plan security and for us to make it as easy as 
possible for them to do so from a Derby perspective.

  Perhaps the conversation of the default is premature.  Perhaps we 
should first nail down the easy security knob and  understand its 
behavior and usefulness and then discuss whether it should/could  be the 
default.
Kathey





Mime
View raw message