Re: Java: the next platform-independent target

["Steven M. Christey" <coley () linus mitre org>]

On Fri, 22 Oct 2010, Jim Manico wrote:

> I think the deprecation of these technologies for an enterprise is a 
> wise idea. :) How can a large enterprise use PHP or ASP for 
> security-critical applications with a straight face? Let's move forward 
> to Ruby on Rails, Enterprise Java, .NET and other modern frameworks that 
> are more mature from a security centric POV.

Just a minor, slightly-tangential-yet-not point, the Ruby / Ruby on Rails 
products have approximately 10 CVE vulns since the beginning of 2009. 
Not a lot but still something for consideration in application deployment. 
And you know I support ESAPI but it's had its own issues, too (and I 
highly doubt I could do a better job security-wise).  Software is software 
and therefore will have vulns, whether its purpose is for a protection 
mechanism or for core functionality.  We will never get away from 
interpreters or frameworks from having their own vulns, although if they 
make things easier security-wise, that's probably a much bigger payoff.

I'm making a generic point here.

- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________