On Fri, Nov 22, 2013 at 09:21:20PM +0100, Peter Bex wrote: > These are useful rules, and provide a simple answer to the complex > problem for programmers who are swamped in work and don't have time > to think about this stuff. I think that's something the langsec > project should strive for as useful output.
To the point, if you want traction, you have to get it baked into the languages/frameworks they use. You can write haskell all you want, but until you get it (at least) ESAPI, or (better) into java, C# and ruby, in frameworks that developers are using, it's not going to affect the commercial world, and thus consumers at large. The cost of converting the app to a safer language and retraining/rehiring the developers is just too large to justify for apps that are big enough to make money: http://www.zdnet.com/blog/facebook/why-facebook-hasnt-ditched-php/9536 The hard part is going to be spending the time and effort to integrate with those framework/library/language teams and get your stuff in there and up-to-date. And that's where most solutions fail. But that exactly the same difficulty that the developers face in integrating your work into their apps. Not saying it's right, just that that's how it is. For the best security, we need to minimize the cost of using the systems. -- http://www.subspacefield.org/~travis/ "Gobsmacked"
pgppFtOtdG1aj.pgp
Description: PGP signature
_______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
