Re: Standards for developing secure software

From: Alex Russell (alexat_private)
Date: Thu Jan 23 2003 - 15:24:15 PST

  • Next message: jeremydat_private: "Secure programming FAQ?"

    On Thursday 23 January 2003 15:57, Ed Carp wrote:
    > On Thu, 23 Jan 2003, Alex Russell wrote:
    > > faster and broken, that just means that it breaks _faster_. Um yeah, I
    > > think I'll pass on that.
    >
    > The reverse of your argument is that if it's slow and fat, it must be
    > better.
    
    which isn't a point I argued. I simply was attempting to illustrate that 
    there's a tradeoff between performance and security in most cases.  In any 
    instantenous case, it's often _possible_ to do the right thing in the 
    fastest possible way, but this leads right back to the fallicy that we 
    should just teach people to write perfect C (not that we shouldn't, but 
    it's simply not realistic).
    
    >  Not true.  Your argument has several logical fallacies which I
    > shall refrain from point out, as they are not germane.
    
    offline then? I like feedback.
    
    > What *is* germane is the fact that security *can* be built into a
    > language, or a library, without a lot of bloat and code slowness.  
    
    note the qualifier "a lot". I'm not suggesting that it can't and shouldn't 
    be done, simply that like a lot of other things, security is a tradeoff.
    
    > Just
    > because a language is a relatively high-level language doesn't mean it
    > has to be slow, or bloated, or insecure.
    
    I never said it did.
    
    <snip> project plug removed </snip>
    
    > So, no, languages don't have to be like Java to be portable.
    
    I never said they did.
    
    > The whole portability argument that Java supports itself on is a
    > misnomer, anyway - Java runs very poorly (if at all) on small-footprint
    > devices
    
    Ever used J2ME? It works, it's portable, and it's here now. The various 
    "configuraitons" are enough to make you want to tear your hair out, but in 
    general, it's useable on devices that are small enough to comfortably fit 
    in your pocket.
    
    > and it doesn't take away any of the complexity in writing
    > applications.
    
    you're not talking to a Java lover. I'd much rather watch my Python code do 
    it's job in the time I'd be spending looking up API calls in Java. But 
    strong-vs-loosely typed languages is another debate for another foura.
    
    -- 
    Alex Russell
    alexat_private
    alexat_private
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:52:10 PST