[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: automated vulnerability testing

To: "'full-disclosure@lists.netsys.com'" <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] Re: automated vulnerability testing
From: Chris Adams <chris@improbable.org>
Date: Mon, 1 Dec 2003 12:06:33 -0800

On 29/11/03 12:30 -0800, Chris Adams wrote: > On Nov 29, 2003, at 2:47, Choe.Sung Cont. PACAF CSS/SCHP wrote: > > Bill Royds wrote: > >> If you are truly interested in security, you won't use C as the > >> programming language. > > You must be shitting me.. C does have its inherent flaws but that > > doesn't > > mean that there cannot be a secure application written in C. This > > statement > > represents FUD at its highest level. > > Name a single non-trivial application written in C which has not had at > least one of the classic C security problems.

Qmail? DJBDNS?

Again, the fact that we're talking about a couple programs written by one guy suggests that C should not be considered a general purpose language - DJB represents a very small percentage of the C programming populace. There are very, very few situations where you must use C - low-level hardware access just isn't that common any more, even for the traditional areas like embedded systems or games - and the fact that it's hard to write C properly suggests that it should be reserved for the few situations where it's a necessity: even there, it makes sense to use a high-level language to call a few functions written in C.

Chris

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Prev by Date: [Full-Disclosure] [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Next by Date: Re: [Full-Disclosure] file inclusion (les visiteurs)
Previous by thread: Re: [Full-Disclosure] [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Next by thread: [Full-Disclosure] MDKSA-2003:110 - Updated kernel packages fix vulnerability
Index(es):
- Date
- Thread