[langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May 18, 2014

Nils Dagsson Moskopp nils at dieweltistgarnichtso.net
Mon Nov 25 20:35:45 UTC 2013


travis+ml-langsec at subspacefield.org schrieb am Mon, 25 Nov 2013
10:20:39 -0800:

> […]
>
> The hard part is going to be spending the time and effort to integrate
> with those framework/library/language teams and get your stuff in
> there and up-to-date.  And that's where most solutions fail.  But that
> exactly the same difficulty that the developers face in integrating
> your work into their apps.
> 
> Not saying it's right, just that that's how it is.  For the best
> security, we need to minimize the cost of using the systems.

Unfortunately, few things prevent a mediocre programmer writing a quick
hack that subverts the purpose of software designed to avoid systemic
failure. Exhibit A: handlebars.js, <http://handlebarsjs.com/> which
manages to introduce logic into (logic-less) mustache templates
<http://mustache.github.io/mustache.5.html>.

Having talked to proponents of e.g. Ruby on Rails and JavaScript, I am
now firmly convinced that hipster programmers are – by and large – not
interested in systems that work well or are easy to use, but systems
that are either popular or give a distinction (ego) benefit. Exhibit B:
“Power users” who complain that any system unfamiliar to them is hard
to use, yet “grudgingly” accept the countless annoying idiosyncrasies
of their preferred “solution”. In the end, programming is pop culture.

-- 
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20131125/41201b31/attachment.pgp>


More information about the langsec-discuss mailing list