Re: Standards for developing secure software

From: Valdis.Kletnieksat_private
Date: Thu Jan 23 2003 - 11:52:00 PST

  • Next message: Brian Hatch: "Re: Can System() of Perl be bypassed?"

    On Thu, 23 Jan 2003 13:22:41 EST, Witness said:
    
    > Here I must digress and cite the example of Java.  While it is certainly
    > the hll - and probably the one you are most thinking of - it is also the
    > language with the worst performance. While throwing more hardware
    > (memory/cpu) at it will speed it up and perhaps make the speed
    > differences between it and C or C++ less noticible, the difference will
    > still be there.  And I for one don't think we should pay such a penalty
    > for security. Instead, I think that programmers should do it right in
    > the best language - that is one that provides the best speed/performance
    > and functionality - for the scenerio and then do it right so as there is
    > no need to incur costs like that of using Java.
    
    On the gripping hand, there exist a number of compilers for Java (gcc now
    has a Java front end, and there's several good JITC packages for Java as well)
    which make the performance *very* close to things coded in C.  And let's face
    it, a *LOT* of code does not have a speed/performance dependency, because
    it's waiting for user input or similar.  As a result, there are very good
    reasons for biasing the language choice in favor of functionality and security
    at a slight hit on the speed/performance side of things.
    
    If you're writing a GUI interface to the corporate database, and you know
    beforehand that 95% of the time you're going to be waiting for the user
    to push a button, and another 4% of the time you will be waiting for the
    database server to answer, it's much more important that the code be
    correct and secure than that it be fast.
    -- 
    				Valdis Kletnieks
    				Computer Systems Senior Engineer
    				Virginia Tech
    
    
    
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 14:24:23 PST