RE: Programming languages -- the "third rail" of secure co ding

[Jeremy Epstein <jeremy.epstein () webmethods com>]

Kevin Wall pointed to http://www2.latech.edu/~acm/HelloWorld.shtml as a good
source point; several of the languages I programmed in aren't listed (e.g.,
PL/360, which in many respects was to the IBM 360 as C was to the PDP/11).
Throughout the 1970s (and maybe even 1980s) a researcher named Jean Sammet
at IBM published a yearly list of what claimed to be all the programming
languages in use.  See
http://www.computerhistory.org/events/hall_of_fellows/sammet/ for more about
her.

To relate this to security, I "discovered" the concept of a buffer overrun
when writing PL/360 code back in 1978.  Languages that lack strong typing,
like PL/360 and C, clearly have a harder time being secure than those that
aren't.  And that's true of reliability as well.

So perhaps such a list would be interesting if one identified the
characteristics that make a language "good" from a security perspective
(several such lists have been posted to this list), and then correlate it to
some of the very long lists of languages.  That would at least give a
starting point for a discussion of "best"....

IMHO, though, any such effort is pointless.  The reality is that we're going
to be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various
interpreted/scripting languages for a very long time.  Rather than argue
about what makes something good/better, we'd be better off figuring out how
to use them more effectively.

As engineers, we need "good enough", not perfection.