Full Disclosure mailing list archives
Re: automated vulnerability testing
From: Valdis.Kletnieks () vt edu
Date: Sun, 30 Nov 2003 00:01:14 -0500
On Sat, 29 Nov 2003 15:11:02 EST, Bill Royds <full-disclosure () royds net> said:
Only a good programmer can write safe C. Most programmers are not good programmers. Therefore most C code is not safe and should not be trusted.
Flon's Law: There is not now, and never will be, a language in which it is the least bit difficult to write bad programs. Let's think this through. You don't want them using C because they can't program their way out of a paper bag - they can't even get simple concepts like "Check the length of a string before using it" down. But you want them to use languages that still permit more *subtle* errors? How many postings do we see about bad C code on this list? Many of which are so esoteric that we're still arguing months later whether it's actually exploitable? And how many postings do we see about PHP code with XSS issues? And I'll point out that Liu Die Yu dropped us 7 very nice bugs in IE which all appeared to be of the "logic error" type that would have *still* happened, no matter what the language, as the failure was in the algorithm encoded rather than the implementation. Let's look at one of his descriptions: "When CONTENTTYPE in HTTP response is invalid and file extension is "HTM", the downloaded HTM file will be opened in cache directory, in INTERNET security zone." It's painfully obvious what went wrong. And no choice of programming language would have protected against the "think-o" that caused this bug. Yes, the current state of programming is abysmal. But the *real* problem here is that we're letting programmers who can't even handle simple things be in charge of very complicated projects - and that should give you some very not-warm-and-not-fuzzy feelings....
Attachment:
_bin
Description:
Current thread:
- RE: automated vulnerability testing, (continued)
- RE: automated vulnerability testing Bill Royds (Nov 29)
- RE: automated vulnerability testing Peter Moody (Nov 29)
- RE: automated vulnerability testing Bill Royds (Nov 29)
- Re: automated vulnerability testing Michael Gale (Nov 29)
- Re: automated vulnerability testing Frank Knobbe (Nov 29)
- Re: automated vulnerability testing Gadi Evron (Nov 29)
- Re: automated vulnerability testing Valdis . Kletnieks (Nov 29)
- Re: automated vulnerability testing Jonathan A. Zdziarski (Nov 30)
- Re: automated vulnerability testing Nick FitzGerald (Nov 30)
- Re: automated vulnerability testing Jonathan A. Zdziarski (Nov 30)
- RE: automated vulnerability testing Bill Royds (Nov 29)
- Re: automated vulnerability testing Valdis . Kletnieks (Nov 29)
- Re: automated vulnerability testing Devdas Bhagat (Nov 29)