* Kenneth R. van Wyk: There's an interesting article out on Net-Security.org (see the full article at http://www.net-security.org/article.php?id=697) that addresses why software development organizations adopt (or do not adopt) a Software Security development methodology. Check it out --
der Mouse (Maus surely?) wrote [snip] Well, actually, but for the world's addiction to sloppy coding. It's entirely possible to avoid buffer overflows in C; it just requires a little care in coding. C's major failing in this regard - and I don't actually consider it all that major - is
At 9:11 AM -0400 6/9/04, Gary McGraw wrote: Language makes a huge difference, eapecially in the realm of bugs. So not using C and C++ is smart. Use Java or C# instead. Or Ada, or PL/I, or Pascal, or Eiffel, etc. There are _lots_ of choices out there.
Startup Determina has released a product that they claim protects against 100% of all memory based attacks, including all types of buffer overflows, without any false positives, false negatives or noticeable overhead. This is appareantly based on work done by their CTO, Dr. Saman Amarasinghe, who
Sloppy coding can be done in any language, but C and C++ have 3 features that aggravate the problem: 1. The array=pointer idiom. Given a parameter which is an array, you can't ask at run-time how big the array is - you have to do extra work and pass the size in an additional parameter (whereas
[EMAIL PROTECTED] wrote on Wednesday, June 09, 2004 7:58 AM: Although I am in favor of languages that help prevent such nasties as input buffer overruns, this is an excellent point. A sloppy programmer will write sloppy code. Reminds me of an old saying that I heard years ago while