Re: Standards for developing secure software

From: Alex Russell (alexat_private)
Date: Thu Jan 23 2003 - 15:24:15 PST

Next message: jeremydat_private: "Secure programming FAQ?"

Previous message: Jason Coombs: "RE: PGP scripting..."
In reply to: Ed Carp: "Re: Standards for developing secure software"
Next in thread: Adrian Wiesmann: "Re: Standards for developing secure software"
Next in thread: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"
Reply: Adrian Wiesmann: "Re: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 23 January 2003 15:57, Ed Carp wrote:
> On Thu, 23 Jan 2003, Alex Russell wrote:
> > faster and broken, that just means that it breaks _faster_. Um yeah, I
> > think I'll pass on that.
>
> The reverse of your argument is that if it's slow and fat, it must be
> better.

which isn't a point I argued. I simply was attempting to illustrate that 
there's a tradeoff between performance and security in most cases.  In any 
instantenous case, it's often _possible_ to do the right thing in the 
fastest possible way, but this leads right back to the fallicy that we 
should just teach people to write perfect C (not that we shouldn't, but 
it's simply not realistic).

>  Not true.  Your argument has several logical fallacies which I
> shall refrain from point out, as they are not germane.

offline then? I like feedback.

> What *is* germane is the fact that security *can* be built into a
> language, or a library, without a lot of bloat and code slowness.  

note the qualifier "a lot". I'm not suggesting that it can't and shouldn't 
be done, simply that like a lot of other things, security is a tradeoff.

> Just
> because a language is a relatively high-level language doesn't mean it
> has to be slow, or bloated, or insecure.

I never said it did.

<snip> project plug removed </snip>

> So, no, languages don't have to be like Java to be portable.

I never said they did.

> The whole portability argument that Java supports itself on is a
> misnomer, anyway - Java runs very poorly (if at all) on small-footprint
> devices

Ever used J2ME? It works, it's portable, and it's here now. The various 
"configuraitons" are enough to make you want to tear your hair out, but in 
general, it's useable on devices that are small enough to comfortably fit 
in your pocket.

> and it doesn't take away any of the complexity in writing
> applications.

you're not talking to a Java lover. I'd much rather watch my Python code do 
it's job in the time I'd be spending looking up API calls in Java. But 
strong-vs-loosely typed languages is another debate for another foura.

-- 
Alex Russell
alexat_private
alexat_private

Next message: jeremydat_private: "Secure programming FAQ?"
Previous message: Jason Coombs: "RE: PGP scripting..."
In reply to: Ed Carp: "Re: Standards for developing secure software"
Next in thread: Adrian Wiesmann: "Re: Standards for developing secure software"
Next in thread: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"
Reply: Adrian Wiesmann: "Re: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:52:10 PST