Re: BridgeWorks

On 7/22/2024 1:39 PM, Dave Froble wrote:

I would not consider SSL, TLS, MD5, Sha-1, and such applications.  They are more environment protection, the way I see it.  And you are correct, some no longer protect the environment for the real apps.
 Please explain to me how an application, for example an inventory application that tracks on hand product, would ever be involved in security?  It is the environment that must provide the security, and the apps the actual work. Things get a bit grey when an application communicates outside the environment, but even then, it is the available security that is used, not the apps.
 So, your comments are not relevant to whether or not the apps written in say VB6 need support, at least from a security perspective.

I don't think it is good description of such stuff to call it
environment that are independent of applications.
Sometimes application code directly specify algorithms.
This one line of VB.NET code:
Test("SHA-2 256 bit (managed)", New SHA256Managed())
use SHA-256. An no environment change will make it use a different
algorithm (unless one did some really dirty hacking of the
.NET libraries).
Sometimes newer libraries are not available.
Let us say that one has some code that use HTTPS. And
that programming language has a library that supports
TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
found and TLS 1.4 is created. If a new version of the library
supporting TLS 1.4 becomes available then all fine - update the
library and the application is fine. But if not then the
application has a problem, because the available library is
not getting updated.
Arne