Re: automated vulnerability testing

[Valdis.Kletnieks () vt edu]

On Sat, 29 Nov 2003 15:11:02 EST, Bill Royds <full-disclosure () royds net>  said:
> Only a good programmer can write safe C.
> Most programmers are not good programmers.
> Therefore  most C code is not safe and should not be trusted.

Flon's Law: There is not now, and never will be, a language in which it is the
least bit difficult to write bad programs.

Let's think this through. You don't want them using C because they can't
program their way out of a paper bag - they can't even get simple concepts
like "Check the length of a string before using it" down.  But you want them
to use languages that still permit more *subtle* errors?

How many postings do we see about bad C code on this list?  Many of which
are so esoteric that we're still arguing months later whether it's actually
exploitable?  And how many postings do we see about PHP code with XSS issues?

And I'll point out that Liu Die Yu dropped us 7 very nice bugs in IE which
all appeared to be of the "logic error" type that would have *still*
happened, no matter what the language, as the failure was in the algorithm
encoded rather than the implementation.  Let's look at one of his
descriptions:

"When CONTENTTYPE in HTTP response is invalid and file extension is "HTM", the
downloaded HTM file will be opened in cache directory, in INTERNET security
zone."

It's painfully obvious what went wrong.  And no choice of programming language
would have protected against the "think-o" that caused this bug.

Yes, the current state of programming is abysmal.  But the *real* problem here
is that we're letting programmers who can't even handle simple things be in
charge of very complicated projects - and that should give you some very
not-warm-and-not-fuzzy feelings....

Attachment: _bin
Description: