* Kenneth R. van Wyk:
There's an interesting article out on Net-Security.org (see the full article
at http://www.net-security.org/article.php?id=697) that addresses why
software development organizations adopt (or do not adopt) a Software
Security development methodology. Check it out --
der Mouse (Maus surely?) wrote
[snip]
Well, actually, but for the world's addiction to sloppy coding.
It's entirely possible to avoid buffer overflows in C; it
just requires
a little care in coding. C's major failing in this regard - and I
don't actually consider it all that major - is
At 9:11 AM -0400 6/9/04, Gary McGraw wrote:
Language makes a huge difference, eapecially in the realm of bugs. So not using C
and C++ is smart. Use Java or C# instead.
Or Ada, or PL/I, or Pascal, or Eiffel, etc.
There are _lots_ of choices out there.
Startup Determina has released a product that they claim protects
against 100% of all memory based attacks, including all types of buffer
overflows, without any false positives, false negatives or noticeable
overhead.
This is appareantly based on work done by their CTO, Dr. Saman
Amarasinghe, who
Sloppy coding can be done in any language, but C and C++ have 3 features that
aggravate the problem:
1. The array=pointer idiom. Given a parameter which is an array, you can't ask
at run-time how big the array is - you have to do extra work and pass the size
in an additional parameter (whereas
[EMAIL PROTECTED] wrote on Wednesday, June 09, 2004 7:58
AM:
Although I am in favor of languages that help prevent such nasties as
input buffer overruns, this is an excellent point. A sloppy
programmer will write sloppy code. Reminds me of an old saying that I
heard years
ago while