lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: devdas at dvb.homelinux.org (Devdas Bhagat)
Subject: automated vulnerability testing

On 29/11/03 12:30 -0800, Chris Adams wrote:
> On Nov 29, 2003, at 2:47, Choe.Sung Cont. PACAF CSS/SCHP wrote:
> > Bill Royds wrote:
> >> If you are truly interested in security, you won't use C as the
> >> programming language.
> > You must be shitting me..  C does have its inherent flaws but that 
> > doesn't
> > mean that there cannot be a secure application written in C.  This 
> > statement
> > represents FUD at its highest level.
> 
> Name a single non-trivial application written in C which has not had at 
> least one of the classic C security problems.
Qmail? DJBDNS?

> That's why we need different languages: even if you're one of the 
> extraordinarily small number of programmers who can write C without 
> bugs, there's abundant evidence that the average C programmer cannot be 
> trusted to do so.
No one is objecting to using more than one language. But saying that
those who are interested in secure coding will not use C is too much of
a blanket statement.
Is C the right language where the programmer needs control? yes.
Is it right for operating systems? Yes.
Is it right for the next graphical singing and dancing paper clip
supported application? Not necessarily.

> The other problem is productivity - C programmers have to write 
> significantly more code to produce equivalent functionality which both 
Depending on what functionality is needed, what the operating conditions
are and what the budgetary constraints are, as well as what the
programmer is skilled in, the answer depends.

Devdas Bhagat


Powered by blists - more mailing lists