RE: [SC-L] Programming languages -- the third rail of secure

2004-08-01 Thread Nick Lothian

 IMHO, though, any such effort is pointless.  The reality is 
 that we're going
 to be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various
 interpreted/scripting languages for a very long time.  
 Rather than argue
 about what makes something good/better, we'd be better off 
 figuring out how
 to use them more effectively.
 The problem is that some people persist in using less-safe 
 languages for
 new code.  When put into a discussion (here) with those who 
 say Use the
 best tool, a non-conversation takes place.
 If the list were retitled to be Secure Coding in 
 Unsupportive Languages
 or Secure Coding with Approprate Languages then half of us 
 would leave
 and the rest could actually conduct a discussion.
 Larry Kilgallen

What are peoples opinions of the languages listed above?

Would I be overly controversial in saying:

C/C++: Unsafe (for most people)
Java/C#: Reasonably safe (both provide protection against buffer overflows,
are type safe and provide built-in security mechanisms)
FORTRAN/COBOL: Don't know - my impression is that COBOL is fairly safe
Scripting Languages: Depends on the language. Lack of type safety can be a
problem, but on the other hand they are usually safe from buffer overflows
and the fact they you can do a lot more in fewer lines of code can make the
code safer by making errors more obvious.

Are there other languages in widespread use (ie, the language must be used
more than - say - Python) that are safer than those listed above? 


RE: [SC-L] Programming languages -- the third rail of secure coding

2004-07-21 Thread Nick Lothian

 I'd also point out that if it's languages you're trying to list,
 JavaScript arguably should not have a separate entry from Java 

Yes it should - they are substantially different languages, even if we look
at them only syntactically. You could argue that Javascript should be listed
as ECMAScript, though. There are a bigger problems with that list than this,


RE: [SC-L] Programming languages used for security

2004-07-13 Thread Nick Lothian

 Does anyone have pointers to articles on designing API's so 
 that they are
 easy to use securely?

Not specifically related to security, but is one of the
better things I've seen about designing APIs.