Re: automated vulnerability testing

[Devdas Bhagat <devdas () dvb homelinux org>]

On 29/11/03 12:30 -0800, Chris Adams wrote:
> On Nov 29, 2003, at 2:47, Choe.Sung Cont. PACAF CSS/SCHP wrote:
> > Bill Royds wrote:
> > > If you are truly interested in security, you won't use C as the
> > > programming language.
> > You must be shitting me..  C does have its inherent flaws but that 
> > doesn't
> > mean that there cannot be a secure application written in C.  This 
> > statement
> > represents FUD at its highest level.
>
> Name a single non-trivial application written in C which has not had at 
> least one of the classic C security problems.
Qmail? DJBDNS?

> That's why we need different languages: even if you're one of the 
> extraordinarily small number of programmers who can write C without 
> bugs, there's abundant evidence that the average C programmer cannot be 
> trusted to do so.
No one is objecting to using more than one language. But saying that
those who are interested in secure coding will not use C is too much of
a blanket statement.
Is C the right language where the programmer needs control? yes.
Is it right for operating systems? Yes.
Is it right for the next graphical singing and dancing paper clip
supported application? Not necessarily.

> The other problem is productivity - C programmers have to write 
> significantly more code to produce equivalent functionality which both 
Depending on what functionality is needed, what the operating conditions
are and what the budgetary constraints are, as well as what the
programmer is skilled in, the answer depends.

Devdas Bhagat

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html