Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E59B77C5-F493-4C25-9D99-296215454856@oracle.com>
Date: Sun, 12 Oct 2014 14:21:14 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts on Shellshock and beyond


On 12 Oct 2014, at 12:24, Florian Weimer <fw@...eb.enyo.de> wrote:

> I don't think Haskell is a magic bullet.  I do think type-rich
> languages (and languages with memory safety) have a lot to offer, but
> writing secure software in them is still hard.

I’d definitely agree with that.

Recently I was dealing with a problem where a developer had gone to a lot of trouble to design and implement an insecure authentication mechanism.   He thought he was doing the right thing but he just couldn’t see the flaws in what he’d done.  

The problem wasn’t the choice of programming language (python, as it happens) it was simply that getting the design and implementation right hard even though it looks easy.   Haskell (or Ada or CLU) would not have helped; a mathematically rigorous approach to the problem would have helped a lot, but it would not have made it easy.  To paraphrase Gödel somewhat: any non-trivial system has is not provably secure.

jch

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.