___cliff rayman___ wrote: > you should have quoted your message as flame bait. or at least subclassed it > as such. :-) As should you :-) > Glynn Clements wrote: > > b) has (reasonably) strong typing, and > > i can see why this makes a program more efficient, but not more secure. Are you on crack? Inducing type errors (treating integers as pointers, strings as integers, buffer overflows, etc.) is one of the primary ways to induce security vulnerabilities in software. A strongly typed language is largely invulnerable to this class of vulnerability. > > c) tends to be legible. > > beauty is in the eye of the beholder. perl is much more legible to me than > c++, and i prefer c++ legibility to many other languages. You are definitely on crack. PERL is world renowned as the "write only programming language." PERL provides five ways to do any given thing. This makes it convenient to do rapid prototyping, and hence attractive to people trying to whip out a kludge by lunch time :-) Unfortunately, it also means that the odds are that the author of the software you're trying to read chose a different way to do something than the one you're familiar with. This makes it relatively hard to read the code. In the alternative, it makes it 5 times harder to fully understand the PERL language by memorizing every single construct. > > Scripting languages such as Perl are useful for quick hacks, but > > security-wise, they truly suck. Scan the BugTraq archives for > > references to CGI programs; I would guess that around 90% of > > vulnerabilities are due to the above. > > i don't think so. I do, for the above reasons. > the majority of the program crashes in this world are related to C/C++ and > its use of pointers. That's because C/C++ is also a type-unsafe language. Perl programs don't "crash", but they do produce unexpected results. Perl is at least as guilty as C of encouraging slack developers into believing that their program is correct just because it appears to "work." > it is very easy to write secure perl programs. No, it is very easy to write perl programs. To be secure, they would have to be audited, and auditing them is hard because PERL is hard to read. > lots of people, especially beginners just happen to write CGI programs in > perl and since they are not yet capable programmers, they write insecure > code. beginners don't write CGI programs in C++ because it is outside the > capability of beginners to do so. a skilled programmer will write quality > code with either language. This is true. However, we're talking about the merrits of the programming languages. Neither Perl nor C/C++ are very good for security. Perl is good for rapid prototyping, C is good for high performance, and C++ is good for bloating your C programs :-) Java is a much stronger contender for secure programs, primarily because it is type safe. ML and Haskall would be some other strong contenders for secure programming languages, but there are many practical problems with trying to develop deployable apps in narrowly-supported languages. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 10:43:48 PDT