Most functional languages have design features that enhance their security. I'm referring to Clojure, Haskell, and Erlang, but this won't be limited to those three. As someone who was hired to handle cyber security needs of a contracting IT company, my personal and professional opinion is this: I would trust someone who programs in a functional language to create _and_ maintain software that is relatively more secure.
If you take what James Reeves said about writing secure code and apply it to alternative technologies which don't implement functional programming, you'll see that these technologies do not put an emphasis in secure or sometimes even modern development practices. Currently I'm on assignment doing risk analysis at a place which uses both Adobe ColdFusion and .NET IIS based web applications. A year ago they got hacked pretty bad. Yes, I will bash Adobe and Microsoft. Yes, .NET and ColdFusion have the same object-oriented and procedural paradigms that all our university "introduction to programming" classes have made us feel comfortable with. Yes, deployment _can_ be as easy as uploading code to a shared FTP folder. Yes, these products integrate well with the easy-to-use graphical user interfaces that Adobe's and Microsoft's development tools all come with. But you know what? While Microsoft and Adobe were focusing on making their products easier to use for their next target market, the Clojure devs were busy designing a language that is error-resistant from the ground up. Not only does it handle errors better, but it also forces the programmer to program in a way that is less error prone yet still productive. While Microsoft and Adobe were building lame FTP clients into their development tools, the Lein devs were doing better by integrating Maven's build and dependency management into a dead-simple deployment tool that works well with all kinds of online code repositories. Code repositories which by the way, nether Adobe or Microsoft had (at the time) encouraged the use of. Even though much of Clojure is still terminal based (i.e., REPL ), at least there aren't multiple levels of undocumented and proprietary abstraction. With Clojure, you can get as abstract or as low level as you want (OpenJDK, Dtrace) All these are characteristics of what I'd call Good (TM) Modern (TM) Software Development (TM), so they can still apply to non-functional languages too. Without a doubt, however, you'll find these characteristics in most of today's functional programming languages. Clojure has them built in. Pretty much all the Haskell and Erlang programmers are doing this. These are languages that will help any organization avoid a whole host of problems. If you were trying to do software development as a career, secure or not, you can bet that any functional programming dev who works with you will be competent enough to create reasonably secure code. That's not the case with all software development. On top of that, when a security vulnerability is discovered - as long as it's not something inherent to a Java library or the JVM - fixing it should be less of a headache as long as you know your code and read the documentation. By now I might sound critical of other developers, but you have to understand that many of these groups get paid A LOT of money to create things correctly. On Sunday, May 4, 2014, James Reeves <ja...@booleanknot.com> wrote: > I've never heard anyone express that sentiment before. If anything the > opposite is true. > > A large part of writing secure code is about avoiding errors, so any > language feature that helps you write error-free code is good for security. > Functional programming eliminates mutable state as a source of errors, > which is one less thing that can go wrong in your secure code. Functional > languages often have more sophisticated static typing as well, which is yet > another potential aid to producing secure code. > > - James > > > On 4 May 2014 08:24, Cecil Westerhof > <cldwester...@gmail.com<javascript:_e(%7B%7D,'cvml','cldwester...@gmail.com');> > > wrote: > >> I heard the stand that functional programming made it difficult to write >> secure programs. I do not know enough of functional programming yet to >> determine the value of a statement like this. What is the take here about >> it? >> >> -- >> Cecil Westerhof >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Clojure" group. >> To post to this group, send email to >> clojure@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure@googlegroups.com');> >> Note that posts from new members are moderated - please be patient with >> your first post. >> To unsubscribe from this group, send email to >> clojure+unsubscr...@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure%2bunsubscr...@googlegroups.com');> >> For more options, visit this group at >> http://groups.google.com/group/clojure?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Clojure" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to >> clojure+unsubscr...@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure%2bunsubscr...@googlegroups.com');> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to > clojure@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure@googlegroups.com');> > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure%2bunsubscr...@googlegroups.com');> > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > clojure+unsubscr...@googlegroups.com<javascript:_e(%7B%7D,'cvml','clojure%2bunsubscr...@googlegroups.com');> > . > For more options, visit https://groups.google.com/d/optout. > -- - EJR -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
