Secure Coding mailing list archives
RE: Programming languages -- the "third rail" of secure co ding
From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: Fri, 30 Jul 2004 22:51:22 +0100
Kevin Wall pointed to http://www2.latech.edu/~acm/HelloWorld.shtml as a good source point; several of the languages I programmed in aren't listed (e.g., PL/360, which in many respects was to the IBM 360 as C was to the PDP/11). Throughout the 1970s (and maybe even 1980s) a researcher named Jean Sammet at IBM published a yearly list of what claimed to be all the programming languages in use. See http://www.computerhistory.org/events/hall_of_fellows/sammet/ for more about her. To relate this to security, I "discovered" the concept of a buffer overrun when writing PL/360 code back in 1978. Languages that lack strong typing, like PL/360 and C, clearly have a harder time being secure than those that aren't. And that's true of reliability as well. So perhaps such a list would be interesting if one identified the characteristics that make a language "good" from a security perspective (several such lists have been posted to this list), and then correlate it to some of the very long lists of languages. That would at least give a starting point for a discussion of "best".... IMHO, though, any such effort is pointless. The reality is that we're going to be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various interpreted/scripting languages for a very long time. Rather than argue about what makes something good/better, we'd be better off figuring out how to use them more effectively. As engineers, we need "good enough", not perfection.
Current thread:
- RE: Programming languages -- the "third rail" of secure co ding Jeremy Epstein (Jul 30)
- Re: Programming languages -- the "third rail" of secure coding Glenn and Mary Everhart (Aug 01)