...
| Wiki Markup |
|---|
Software programs often contain multiple components that act as subsystems, wherewherein each component operates in one or more trusted domains. For example, one component may have access to the file system but lack access to the network, while another component has access to the network but lacks access to the file system. _Distrustful decomposition_ and _privilege separation_ \[[Dougherty 2009|AA. References#Dougherty 2009]\] are examples of secure design patterns that reduce the amount of code that runs with special privileges by designing the system using mutually untrusting components. |
While Although software components can obey policies that allow them to transmit data across trust boundaries, they cannot specify the level of trust given to any component. The deployer of the application must define the trust boundaries with the help of a systemwide security policy. A security auditor can use that definition to determine whether the software adequately supports the security objectives of the application.
...
- Operating system command interpreter (see rule IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method)
- A data repository with an a SQL-compliant interface
- XML parser
- XPath evaluators
- Lightweight Directory Access Protocol (LDAP) directory service
- Script engines
- Regular expression (regex) compilers
...