Secure Coding mailing list archives
Programming language comparison?
From: Brian.A.Shea at bankofamerica.com (Shea, Brian A)
Date: Wed, 06 Feb 2008 09:35:59 -0800
It seems like this exchange is focused on whether bug / flaw classes can be applied to "All" programming languages or not. Isn't the question at hand which languages have the property "Subject to bug / flaw class XXX" (true | false), and not whether you can find one or more class that fits the "All" category? What we need is a coherent dataset showing the languages that have been assessed, and the classes of bugs or flaws each is subject to. Then I could search that dataset to find the listing of "all languages that are / are not subject to security bug class XXXX" when doing assessments or deciding on my coding language. -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of ljknews Sent: Tuesday, February 05, 2008 8:37 PM To: sc-l at securecoding.org Subject: Re: [SC-L] Programming language comparison? At 4:44 PM -0500 2/5/08, Steven M. Christey wrote:
On Mon, 4 Feb 2008, ljknews wrote:("%99999999s" to fill up disk or memory, anybody?), so it's marked
with
"All" and it's not in the C-specific view, even though there's a
heavy
concentration of format strings in C/C++.It is marked as "All" ? What is the construct in Ada that has such a risk ?Hmmmm, I don't see any, but then again I don't know Ada. Is there no equivalent to format strings in Ada? No library support for it?
Not that I know of, but if you can specify a Pascal equivalent I might be able to see what you are aiming at. Have you evaluated Pascal for this defect that is present in "All" languages ?
Your question actually highlights the point I was trying to make - in
CWE,
we don't yet have a way of specifying language families, such as "any language that directly supports format strings," or "any language with dynamic evaluation."
Your choice of terminology is yours to make, only within the bounds of reasonable use of English. In English there is a distinct difference between the terms ALL and SOME, between the terms ALL and MANY and even between the terms ALL and MOST. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Programming language comparison? Vincent Verhagen (Feb 04)
- Programming language comparison? Robert A. Martin (Feb 04)
- Programming language comparison? Steven M. Christey (Feb 04)
- Programming language comparison? ljknews (Feb 04)
- Programming language comparison? Steven M. Christey (Feb 05)
- Programming language comparison? Robert C. Seacord (Feb 05)
- Programming language comparison? ljknews (Feb 05)
- Programming language comparison? Pete Shanahan (Feb 06)
- Programming language comparison? Shea, Brian A (Feb 06)
- Programming language comparison? Steven M. Christey (Feb 04)
- Programming language comparison? Robert A. Martin (Feb 04)