Re: [SC-L] Programming language comparison?

2008-02-06 Thread Shea, Brian A
It seems like this exchange is focused on whether bug / flaw classes can
be applied to All programming languages or not.  Isn't the question at
hand which languages have the property Subject to bug / flaw class XXX
(true | false), and not whether you can find one or more class that fits
the All category?

What we need is a coherent dataset showing the languages that have been
assessed, and the classes of bugs or flaws each is subject to.  Then I
could search that dataset to find the listing of all languages that are
/ are not subject to security bug class  when doing assessments or
deciding on my coding language.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ljknews
Sent: Tuesday, February 05, 2008 8:37 PM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Programming language comparison?

At 4:44 PM -0500 2/5/08, Steven M. Christey wrote:
 On Mon, 4 Feb 2008, ljknews wrote:
 
  (%s to fill up disk or memory, anybody?), so it's marked
with
  All and it's not in the C-specific view, even though there's a
heavy
  concentration of format strings in C/C++.

 It is marked as All ?

 What is the construct in Ada that has such a risk ?
 
 H, I don't see any, but then again I don't know Ada.  Is there no
 equivalent to format strings in Ada?  No library support for it?

Not that I know of, but if you can specify a Pascal equivalent
I might be able to see what you are aiming at.  Have you evaluated
Pascal for this defect that is present in All languages ?

 Your question actually highlights the point I was trying to make - in
CWE,
 we don't yet have a way of specifying language families, such as any
 language that directly supports format strings, or any language with
 dynamic evaluation.

Your choice of terminology is yours to make, only within the
bounds of reasonable use of English.  In English there is a
distinct difference between the terms ALL and SOME, between
the terms ALL and MANY and even between the terms ALL and MOST.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Programming language comparison?

2008-02-05 Thread Vincent Verhagen
Gentleman,

Thanks for the contributions to my question. They've been helpful!

Vincent


Vincent Verhagen wrote:
 Hi all,

 I was referred to this list by a fellow security consultant for this 
 specific question. Please forgive me if this is the wrong forum :)

 We're in the process of creating a kind of handbook for third parties 
 that develop web applications for us.
 One (quite extensive, I'm happy to report) chapter will be about 
 security and for that I'm looking for a comparison of common 
 programming/scripting languages (PHP, C variants, JAVA, etc) their 
 specific risks and why or why not to use them.
 Has anyone created such an overview I could use as a basis to work from?

 Thanks in advance!

 Vincent Verhagen
 Simac ICT Netherlands

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___
   

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Programming language comparison?

2008-02-05 Thread Steven M. Christey

On Mon, 4 Feb 2008, ljknews wrote:

  (%s to fill up disk or memory, anybody?), so it's marked with
  All and it's not in the C-specific view, even though there's a heavy
  concentration of format strings in C/C++.

 It is marked as All ?

 What is the construct in Ada that has such a risk ?

H, I don't see any, but then again I don't know Ada.  Is there no
equivalent to format strings in Ada?  No library support for it?

Your question actually highlights the point I was trying to make - in CWE,
we don't yet have a way of specifying language families, such as any
language that directly supports format strings, or any language with
dynamic evaluation.

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Programming language comparison?

2008-02-04 Thread Vincent Verhagen
Hi all,

I was referred to this list by a fellow security consultant for this 
specific question. Please forgive me if this is the wrong forum :)

We're in the process of creating a kind of handbook for third parties 
that develop web applications for us.
One (quite extensive, I'm happy to report) chapter will be about 
security and for that I'm looking for a comparison of common 
programming/scripting languages (PHP, C variants, JAVA, etc) their 
specific risks and why or why not to use them.
Has anyone created such an overview I could use as a basis to work from?

Thanks in advance!

Vincent Verhagen
Simac ICT Netherlands

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Programming language comparison?

2008-02-04 Thread Robert A. Martin
Hi Vincent,

While not a overview, you can find language specific weaknesses for 
C, Java, C++, and PHP on the Other Views page of the Common 
Weakness Enumeration (CWE) Project (see 
http://cwe.mitre.org/data/other.html).

The List items give the names of the issues, the Slice gives a 
concatenated set of the write-ups of those items, and the XML will 
give you a concatenated extract of the XML for those items versus 
hunting for them in the complete XML for CWE.

These aren't specific to web application issues so there will be some 
pruning of the list for your purposes.  One way to focus the list 
would be to correlate them with the CWEs listed in the OWASP Top 10 
as a start, which is another list on the above page that has 24 items 
listed but some of them are not language specific so they would be in 
addition to the others.

The above lists include 56 for C, Java has 70, C++ has 58, and PHP has 10.

You still need to add to that issues that apply to all languages 
versus these lists of language specific weaknesses and C and C++ have 
significant overlap given their relationship.

Regards,

Bob Martin
CWE Project Leader
MITRE Corporation

P.S. Comments and suggestions for new items, clarifications, or 
additional examples are welcome for this community effort either 
directly to [EMAIL PROTECTED] or through the cwe-research-list which you 
can sign-up for on the site.

At 1:16 PM +0100 2/4/08, Vincent Verhagen wrote:
Hi all,

I was referred to this list by a fellow security consultant for this
specific question. Please forgive me if this is the wrong forum :)

We're in the process of creating a kind of handbook for third parties
that develop web applications for us.
One (quite extensive, I'm happy to report) chapter will be about
security and for that I'm looking for a comparison of common
programming/scripting languages (PHP, C variants, JAVA, etc) their
specific risks and why or why not to use them.
Has anyone created such an overview I could use as a basis to work from?

Thanks in advance!

Vincent Verhagen
Simac ICT Netherlands

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___