Secure Coding mailing list archives
RE: Programming languages -- the "third rail" of secure coding
From: ljknews <ljknews () mac com>
Date: Sun, 01 Aug 2004 20:37:37 +0100
At 1:03 PM +0930 8/1/04, Nick Lothian wrote:
IMHO, though, any such effort is pointless. The reality isthat we're goingto be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various interpreted/scripting languages for a very long time.
What are peoples opinions of the languages listed above? Would I be overly controversial in saying: C/C++: Unsafe (for most people)
It is possible to code correctly in (almost) any language, but the likelihood of success varies. To me the big issue of C* languages has to do with what assurances _management_ has that the effort will result in correct code. The C++ compilers I know of allow a programmer to drop into raw C, and given the low level of understanding safety and security issues across the programming population there will be a strong temptation to do that.
Java/C#: Reasonably safe (both provide protection against buffer overflows, are type safe and provide built-in security mechanisms) FORTRAN/COBOL: Don't know - my impression is that COBOL is fairly safe Scripting Languages: Depends on the language. Lack of type safety can be a problem, but on the other hand they are usually safe from buffer overflows and the fact they you can do a lot more in fewer lines of code can make the code safer by making errors more obvious. Are there other languages in widespread use (ie, the language must be used more than - say - Python) that are safer than those listed above?
Certainly Ada is a lot safer than those above, and the SPARK subset we have discussed here is even safer (not just by being a subset but also by supporting proofs of correctness). SPARK is much less widely deployed that whatever was used to implement Internet Explorer, but I have strong preference as to which of the two I would want used in the programming of fly-by-wire for an airplane on which I fly. -- Larry Kilgallen
Current thread:
- RE: Programming languages -- the "third rail" of secure Nick Lothian (Aug 01)
- RE: Programming languages -- the "third rail" of secure coding ljknews (Aug 01)
- Re: Programming languages -- the "third rail" of secure Crispin Cowan (Aug 06)