So in all the discussions, I think I'm seeing several main themes:

-Some holes are design or logic errors (possible in any language)
-Some holes are failures to code safely in a given language (language specific; possibly addressable by switching to a "safer" language)
-Some holes are harder to implement in a "safer" language (library, class...)

And I'm sure I've missed a few important ones.

Point is, I think in a number of cases, we mix these concepts in the same discussion, and I'm not sure that's always useful.

If we're talking about logic problems... you can always get your boolean conditional jump backwards, doesn't matter what language you use.

If we're talking about one flavor of secure coding (coding safely in a "dangerous" language), then that discussion/class neccessarily needs to be very language specific. This problem also extends to things like system APIs, libraries, and so on. I don't know that any significant project can get away from that, regardless of the main language used.

If we're talking about secure coding in terms of picking a language that should help us not make whole classes of mistakes, then that's a different discussion.


Reply via email to