Secure Coding mailing list archives
The right tool for the right job, quit beating on the C language
From: "Dana Epp" <dana () vulscan com>
Date: Mon, 15 Dec 2003 03:36:37 +0000
Indeed, avoiding C* as a programming language seems the simplest defense.
I have been trying to stay away from this argument, as this list doesn't need a best language/best OS/best editor flamewar on its hands, but I feel compelled to comment on this. I do not believe we can use the argument to "avoid" any particular language, just because it is not as safe as some of the newer lanugauge that obscure the complexity of the underlying system (which are typically written in C anyways). As someone who writes a lot of kernelmode code, I HAVE to write in C and ASM. You are not going to see ring0 level code being written in Java or C# anytime soon. You have to use the right tool for the right job. What is the C language downfall is also its best strength. It is a double edged sword that really SHOULD be mastered, but by many is treated like a child's $5 plastic toy... wielded by the inexperienced who don't know any better. The reality is instead of avoiding it, we should include the proper teachings to use it safely, and correctly. Now this is a DIFFERENT discussion than the "secure programming" education track, as this is a more language specific. Yet I think that if we try to sidestep the issue, we will end up using the wrong tool at the wrong time. We shouldn't fear using languages like C and C++, we just need to know its place, know its fallabilities and deal with it. --- Regards, Dana M. Epp [Blog: http://silverstr.ufies.org/blog/]
Current thread:
- [SC-L] Jeffrey W. Baker (Dec 12)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) ljknews (Dec 13)
- Re: (Shellcode Injection) Crispin Cowan (Dec 13)
- Re: (Shellcode Injection) ljknews (Dec 14)
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Re: (Shellcode Injection) Crispin Cowan (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 13)
- The right tool for the right job, quit beating on the C language Dana Epp (Dec 14)
- Re: The right tool for the right job, quit beating on the C language ljknews (Dec 14)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) Louis Solomon [SteelBytes] (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Message not available
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- <Possible follow-ups>
- RE: [SC-L] Lewis, Todd (Dec 15)