Secure Coding mailing list archives

Programming language comparison?

From: Brian.A.Shea at bankofamerica.com (Shea, Brian A)
Date: Wed, 06 Feb 2008 09:35:59 -0800

It seems like this exchange is focused on whether bug / flaw classes can
be applied to "All" programming languages or not.  Isn't the question at
hand which languages have the property "Subject to bug / flaw class XXX"
(true | false), and not whether you can find one or more class that fits
the "All" category?

What we need is a coherent dataset showing the languages that have been
assessed, and the classes of bugs or flaws each is subject to.  Then I
could search that dataset to find the listing of "all languages that are
/ are not subject to security bug class XXXX" when doing assessments or
deciding on my coding language.

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of ljknews
Sent: Tuesday, February 05, 2008 8:37 PM
To: sc-l at securecoding.org
Subject: Re: [SC-L] Programming language comparison?

At 4:44 PM -0500 2/5/08, Steven M. Christey wrote:

On Mon, 4 Feb 2008, ljknews wrote:

("%99999999s" to fill up disk or memory, anybody?), so it's marked

with

"All" and it's not in the C-specific view, even though there's a

heavy

concentration of format strings in C/C++.


It is marked as "All" ?

What is the construct in Ada that has such a risk ?


Hmmmm, I don't see any, but then again I don't know Ada.  Is there no
equivalent to format strings in Ada?  No library support for it?


Not that I know of, but if you can specify a Pascal equivalent
I might be able to see what you are aiming at.  Have you evaluated
Pascal for this defect that is present in "All" languages ?

Your question actually highlights the point I was trying to make - in

CWE,

we don't yet have a way of specifying language families, such as "any
language that directly supports format strings," or "any language with
dynamic evaluation."


Your choice of terminology is yours to make, only within the
bounds of reasonable use of English.  In English there is a
distinct difference between the terms ALL and SOME, between
the terms ALL and MANY and even between the terms ALL and MOST.
-- 
Larry Kilgallen
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Current thread:

Programming language comparison? Vincent Verhagen (Feb 04)
- Programming language comparison? Robert A. Martin (Feb 04)
  - Programming language comparison? Steven M. Christey (Feb 04)
    - Programming language comparison? ljknews (Feb 04)
    - Programming language comparison? Steven M. Christey (Feb 05)
    - Programming language comparison? Robert C. Seacord (Feb 05)
    - Programming language comparison? ljknews (Feb 05)
    - Programming language comparison? Pete Shanahan (Feb 06)
    - Programming language comparison? Shea, Brian A (Feb 06)
- Programming language comparison? Craig E. Ward (Feb 04)
- Programming language comparison? Vincent Verhagen (Feb 05)