Re: [Full-Disclosure] automated vulnerability testing

From: Chris Adams (chris_at_improbable.org)
Date: 11/29/03

  • Next message: Devdas Bhagat: "Re: [Full-Disclosure] India gov IT hacked" 
    To: "'full-disclosure@lists.netsys.com'" <full-disclosure@lists.netsys.com>
Date: Sat, 29 Nov 2003 12:30:09 -0800

    On Nov 29, 2003, at 2:47, Choe.Sung Cont. PACAF CSS/SCHP wrote:
    > Bill Royds wrote:
    >> If you are truly interested in security, you won't use C as the
    >> programming language.
    > You must be shitting me.. C does have its inherent flaws but that
    > doesn't
    > mean that there cannot be a secure application written in C. This
    > statement
    > represents FUD at its highest level.

    Name a single non-trivial application written in C which has not had at
    least one of the classic C security problems.

    That's why we need different languages: even if you're one of the
    extraordinarily small number of programmers who can write C without
    bugs, there's abundant evidence that the average C programmer cannot be
    trusted to do so.

    The other problem is productivity - C programmers have to write
    significantly more code to produce equivalent functionality which both
    increases the opportunity for errors and decreases the time available
    to find and fix those errors, identify design oversights, etc.

    Chris

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Devdas Bhagat: "Re: [Full-Disclosure] India gov IT hacked"
    • Quantcast