Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Too Cool For Secure Code
Jon Lasser, 2003-03-26

Until Unix and Linux programmers get over their macho love for low-level programming languages, the security holes will continue to flow freely.

Comments Mode:
Too Cool For Secure Code 2003-03-26
Anonymous (3 replies)
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-28
DrNerdware
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous (4 replies)
Too Cool For Secure Code 2003-03-27
Anonymous (1 replies)
Don't Forget Ada! 2003-04-02
StealthBadger
Solving the problem 2003-03-27
Peter Ross
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous (1 replies)
Too Cool For Secure Code 2003-04-07
jhon blacken
That's the wrong attitude. 2003-03-26
Anonymous (26 replies)
That's the wrong attitude. 2003-03-27
Anonymous
Secure languages? 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
dbtid (1 replies)
That's the wrong attitude. - haha, time to upgrade 2003-03-30
Anonymous (1 replies)
That's the wrong attitude. - haha, time to upgrade 2003-04-01
Penguinisto
That's the wrong attitude. 2003-03-27
Anonymous
ok but... 2003-03-27
SeJo
Re: That's the wrong attitude. 2003-03-27
George Barbarosie
That's the wrong attitude. 2003-03-27
Listener
Tools matter 2003-03-27
Jon
You are an idiot (or a troll). 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Anonymous
C/C++ are not the only performant languages. The software development community has, for years, labored under fallacies concerning managed languages. I'm using "managed" to describe everything from scripting languages to Java/C#/Lisp / etc.

The reason that you (and many other people) think that these languages are inherently slow is simply this -- they haven't had the same amount of time to mature as C/C++ has. C/C++ traces its roots back to languages designed and built in the 1960s -- that's 40 years of optimization, experimentation, etc.

Managed languages are catching up. Managed languages that use JIT compilers (translation to native assembly code, rather than using an interpreter) are capable of performance as good as -- and in some cases better than! -- C/C++.

Also, it is NOT the wrong attitude. Try telling your boss this: "I would rather take a risk on security holes, rather than spend $100 on more RAM." RAM is cheap. Security compromises are INCREDIBLY expensive -- not just in lost time and money, but in the perception of your company. Who trusts a company that has been compromised? Or has been compromised repeatedly, because they use (or develop) insecure software?

Security is too important to be left to humans. The more secure we can make our langauges, the better. In Java/C#, you simply eliminate huge classes of memory errors, and you eliminate precisely the ones that are so common in C/C++ development.

I have been developing software professionally for 10 years now. Jon Lasser has hit the nail on the head: It is extremely irresponsible to continue to use languages and environments (C/C++) that are KNOWN to be conducive to security bugs, when better languages and tools are available. (With the caveat -- correctly stated by Jon Lasser -- that in some cases you have no choice but to use C/C++.)



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/150/18901#18901
Re: That's the wrong attitude. 2003-03-27
CondorDes
That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Ron
Re:That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
DrNerdware
That's the wrong attitude. 2003-03-28
Anonymous
Obsolete thinking. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
Type safety is good 2003-03-28
Anonymous
Real issue: don't make the same mistakes. 2003-03-29
Anonymous
I totally agree 2003-04-08
Anonymous
Nonsense 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous (1 replies)
Too Cool For Secure Code 2003-03-31
SK
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
mk
Slow news day? 2003-03-27
TJ Miller jr
Too Cool For Secure Code 2003-03-27
Marion De Liau (1 replies)
Too Cool For Secure Code 2003-03-31
Anonymous
Strong Typing, etc. 2003-03-27
RC
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Right idea, wrong solution 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Fra. 219
This is hogwash... I guess we should all use VB? That's High Level and we know how "bug" free that is. 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
so pilots can't really fly? 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Work at a C shop guys? 2003-03-27
Anonymous
Oh Boy 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Shawn
This is exactly right. 2003-03-27
Anonymous
Johnathan Lasser Isn't a a Programmer 2003-03-27
Someone Who Actually Writes Code (1 replies)
Johnathan Lasser Isn't a a Programmer 2003-04-02
Anonymous
Too Cool For Secure Code 2003-03-27
Das Megabyte (1 replies)
Too Cool For Secure Code 2003-04-08
ibanix
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Tirs
Too Cool For Secure Code 2003-03-27
Dave
Too Cool For Secure Code 2003-03-27
Ivan Vecerina
Too Cool For Secure Code 2003-03-27
Anonymous
Crap 2003-03-27
terber
christ, what a whinger 2003-03-27
mark hahn (hahn@mcmaster.ca)
Too Cool For Secure Code 2003-03-27
Anonymous
Syte and Methodology not the Tool 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I Dont Think So 2003-03-27
Randy LeJeune
Too Cool For Secure Code 2003-03-27
X-Nc
Too Cool For Secure Code 2003-03-27
Kirk Rafferty (kirk_at_rafferty.org)
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Things should change 2003-03-27
Matthew B
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I agree entirely 2003-03-27
Iain Collins (iain_collins@mac.com)
Too Cool For Secure Code 2003-03-27
Anonymous
Thats the _right_ attitude 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Sticks-and-Stones programming tools 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Higher level languages also insecure 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Bad code is a result of a poor development process 2003-03-27
c0d3cr33p@hotmail.com
Too Cool For Secure Code 2003-03-27
Synonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
simply sloppy programming 2003-03-27
rishab
Its not macho love its SKILLS! 2003-03-27
Anonymous
Silly 2003-03-27
Anonymous
Boo. 2003-03-27
Anonymous
(sigh) 2003-03-27
grey
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I agree 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
It's Too Cool To Criticize Programmers 2003-03-27
PipTigger
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Java as a solution 2003-03-27
Anonymous
Many scripting languages don't scale 2003-03-27
PyMan
Too Cool For Secure Code 2003-03-27
Anonymous
MS security much worse. 2003-03-27
Ron
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
No.. No.. No.. 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too cool for secure code 2003-03-27
Ben
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Partially true 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Couldn't agree more 2003-03-28
Anonymous
Software responsibilities 2003-03-28
Anonymous
Blame the coder, not the language 2003-03-28
Anonymous
Alternatives? 2003-03-28
Anonymous
Too Cool For Tested Code? 2003-03-28
Werm
Too Cool For Secure Code 2003-03-28
Lee Reynolds
Stupidest piece I have ever read. 2003-03-28
Anonymous
Too Cool? No, not really. 2003-03-28
clee
Stop wasting electrons and our time 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code - Wise Words 2003-03-28
DrNerdware
Too Cool For Secure Code 2003-03-28
Angelos Karageorgiou
Too Cool For Secure Code 2003-03-28
Philips
Too Cool For Secure Code 2003-03-28
Anonymous
Way Kewl For Secure Code 2003-03-28
fnaaijkens@ultihouse.com
Too Cool For Secure Code 2003-03-28
Anonymous
For what it's worth, RPC wasn't 2003-03-28
Anonymous
Too Cool For Secure Code? My two cents 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
vijeno <vijen0@yahoo.com>
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
User clients are rarely security risks 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Re: Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-29
Anonymous
That was a joke ? 2003-03-29
Anonymous
Too Cool For Secure Code 2003-03-29
blacklight
I Agree 2003-03-29
LesPaul
Too Cool For Secure Code 2003-03-29
Not Really Anonymous
Too Cool For Secure Code - USE VB! 2003-03-30
Anonymous (1 replies)
Too Cool For Secure Code - USE VB! 2003-04-01
Anonymous
goto india; 2003-03-30
mummer the bard
Portability, efficentcy, hot air 2003-03-31
jthomas@poweronemedia.com
Too Cool For Secure Code 2003-03-31
G. Bailey Childs
Why say it's just Linux/unix? 2003-04-01
Ally
Too Cool For Secure Code 2003-04-01
Anonymous (1 replies)
Too Cool For Secure Code - uh, yeah no shit 2003-04-01
Anonymous
Too Cool For Secure Code -- Only Unix and Linux? 2003-04-02
winklessd@netscape.com
This is so funny - linux on linux battle 2003-04-02
Anonymous (1 replies)
This is so funny - linux on linux battle 2003-04-03
Anonymous (1 replies)
This is so funny - linux on linux battle 2003-04-03
Anonymous
The article reflets the writers inexperience 2003-04-08
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus