Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh)

From: Jonathan James <Jonathan () SECURITO SE>
Date: Thu, 28 Sep 2000 10:03:51 +0200
What you *still* haven't explained HOW you do that. We both mentioned the
usage of company/project guidelines on how to write (secure) code. Is this
what you mean? Or do simply mean to have routinely revisions of design and
having the code evaluated for quality assurance? (this is what is known as
iterative development in fancy books [has more names btw], and is standard
in most development companies)
I mean, having the entire code "designed", and not just how modules and
functions interact... Wouldn't this actually mean you have NO design, you
kind of implement it directly?

What I mean is that the design fase includes structuring, modulization and
interaction. This should be simulated by pseudo code.
After passing this fase you start to implement the code.



As in the discussion of weather C is too hard or not for experience
programmers, isn't your code broken? :)

I didn't spend any time looking at the code. The example was there just to
illustrate my point.

int function(char *name) {
    char variable[5];
    strncpy(variable, name,5);
    variable[(sizeof(variable)-1)] = NULL; // (sizeof(variable)-1) instead
of sizeof(variable) - NULL, \0, 0 ... whatever you want..
    printf("Hello %s",variable);
    return 0;
 }

Jonathan
http://www.securito.se
Previous By Date Next
Previous By Thread Next

Current thread: