Re: Scripting Languages and Secure Coding

[Bob Toxen <bob () verysecurelinux com>]

On Thu, Dec 04, 2003 at 04:26:37PM -0500, der Mouse wrote:
> > The C compiler and popular C library routines do not have bugs

> If you think this you are deluding yourself.  No body of code as large
> as either is bug-free.

I assumed it was understood that I meant KNOWN bugs.  If neither the good
guys or the bad guys know about a security bug (and are not likely to)
it is not a security issue.  Hence, a popular standard is the rate that
significant security bugs are discovered.

> > When PHP has [...] I'll consider it safe for use.  Unlike C and
> > Apache, one does not HAVE to use PHP in their system.

> One does not have to use Apache.  (I don't, for example.)  One does not
> have to use C, either, though I'm not an example; quite aside from
> people who simply don't compile stuff, there are other languages, even
> other compiled languages, most of them better than C for some tasks and
> goodness metrics.

I think that you are nitpicking my comments.  I think that it is safe to
say that most web servers (that don't use Windows) use C code in the
system and use Apache.

Can we move on to another topic?

> /~\ The ASCII                         der Mouse
> \ / Ribbon Campaign
>  X  Against HTML             [EMAIL PROTECTED]
> / \ Email!         7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Bob