Ben, I would not go so far as to say never use C++. It is probably the most powerful and expressive commercially successful programming language available today and there are often good reasons to use the language.
Secure programming in C++ is possible, but C++ itself is exceptionally complex, has many idiosyncrasies, and as a result it is very easy to make mistakes in the language. Because of these factors, many C++ experts recommend an idiomatic approach to C++ where basically you reuse snippets of code that do something akin to what you are after. The message here, of course, is that you are likely to mess up if you write some "new code" which has not been thoroughly considered by a panel of experts for many years. 8^) > If you use the STL containers and follow basic good > programming practices of C++ instead of using C-Arrays and pointer > arithmetic then the unsafe C features are no longer an issue? See https://www.securecoding.cert.org/confluence/display/cplusplus/13.+STL+%28STL%29 for common security flaws involving the STL See https://www.securecoding.cert.org/confluence/display/cplusplus/10.+Basic+string+class+%28BSC%29 for common security flaws involving basic_string (which also functions as an STL sequence container) Integer related security problems are basically the same for both C and C++. > C and C++ are very different. Using C++ like C is arguable unsafe, but when > it's used as it was intended can't C++ too be considered for secure > programming? I'll agree with you that using C++ in an idiomatic fashion is safer than using it like C. One of the things you will note through the www.securecoding.cert.org web site is that many of the problems for C programming language also exist for C++, but the solutions are different because C++ offers better/different options. But you need to know to use these, you have to be aware of the new problems that C++ brings, and you often need to use C features to interact with existing libraries. Hope this (partial) explanation helps somewhat. rCs _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
