[langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May 18, 2014

travis+ml-langsec at subspacefield.org travis+ml-langsec at subspacefield.org
Mon Nov 25 18:20:39 UTC 2013


On Fri, Nov 22, 2013 at 09:21:20PM +0100, Peter Bex wrote:
> These are useful rules, and provide a simple answer to the complex
> problem for programmers who are swamped in work and don't have time
> to think about this stuff.  I think that's something the langsec
> project should strive for as useful output.

To the point, if you want traction, you have to get it baked into the
languages/frameworks they use.  You can write haskell all you want,
but until you get it (at least) ESAPI, or (better) into java, C# and
ruby, in frameworks that developers are using, it's not going to
affect the commercial world, and thus consumers at large.  The cost of
converting the app to a safer language and retraining/rehiring the
developers is just too large to justify for apps that are big enough
to make money:

http://www.zdnet.com/blog/facebook/why-facebook-hasnt-ditched-php/9536

The hard part is going to be spending the time and effort to integrate
with those framework/library/language teams and get your stuff in
there and up-to-date.  And that's where most solutions fail.  But that
exactly the same difficulty that the developers face in integrating
your work into their apps.

Not saying it's right, just that that's how it is.  For the best
security, we need to minimize the cost of using the systems.
-- 
http://www.subspacefield.org/~travis/
"Gobsmacked"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20131125/a08ee5c5/attachment.pgp>


More information about the langsec-discuss mailing list