Date: Sun, 12 Oct 2014 14:21:14 +0100 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: Thoughts on Shellshock and beyond On 12 Oct 2014, at 12:24, Florian Weimer <fw@...eb.enyo.de> wrote: > I don't think Haskell is a magic bullet. I do think type-rich > languages (and languages with memory safety) have a lot to offer, but > writing secure software in them is still hard. I’d definitely agree with that. Recently I was dealing with a problem where a developer had gone to a lot of trouble to design and implement an insecure authentication mechanism. He thought he was doing the right thing but he just couldn’t see the flaws in what he’d done. The problem wasn’t the choice of programming language (python, as it happens) it was simply that getting the design and implementation right hard even though it looks easy. Haskell (or Ada or CLU) would not have helped; a mathematically rigorous approach to the problem would have helped a lot, but it would not have made it easy. To paraphrase Gödel somewhat: any non-trivial system has is not provably secure. jch
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ