[langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May 18, 2014

Will Sargent will.sargent at gmail.com
Mon Nov 25 22:19:59 UTC 2013


I generally find it helps to think about the good programmers who would
like to improve but don't know quite how, rather than the worst.

Things DO get better.  Very few people use raw GOTO statements any more.
 It's been years since I saw people eval input.  I'd say Ruby is better for
purpose than Perl, and Java (and the JVM) is safer than using raw C or C++.

Ultimately, the nicest thing about using value objects produced from a
recognizer is that it's a richer experience.  For the same reason that
people want to use types and abstract data types like Option / Maybe and
Either, they'll want to use value objects.


On Mon, Nov 25, 2013 at 12:51 PM, Grawrock, David
<david.grawrock at intel.com>wrote:

> Nils, this is almost the same as answering the question "what is the best
> programming language". The answer isn't X or Y, it is "well what is the
> program supposed to do". If your answer is always Java, please tell me how
> you are going to write Java code for a device driver that executes during
> early boot, including when memory isn't initialized yet. Don't think Java
> will fit :)
>
> You select the best tool for the job and use that. We have to get
> programmers to understand that one tool doesn't fit all and one way of
> validating and formatting input doesn't work either.
>
> But we HAVE to make this easier to use and understand, with some very
> EXPLICIT helps to get people moving.
>
> David Grawrock
> Security Architect
> 503 264 3642
>
> -----Original Message-----
> From: langsec-discuss-bounces at mail.langsec.org [mailto:
> langsec-discuss-bounces at mail.langsec.org] On Behalf Of Nils Dagsson
> Moskopp
> Sent: Monday, November 25, 2013 12:36 PM
> To: travis+ml-langsec at subspacefield.org
> Cc: langsec-discuss at mail.langsec.org
> Subject: Re: [langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May
> 18, 2014
>
> travis+ml-langsec at subspacefield.org schrieb am Mon, 25 Nov 2013
> 10:20:39 -0800:
>
> > […]
> >
> > The hard part is going to be spending the time and effort to integrate
> > with those framework/library/language teams and get your stuff in
> > there and up-to-date.  And that's where most solutions fail.  But that
> > exactly the same difficulty that the developers face in integrating
> > your work into their apps.
> >
> > Not saying it's right, just that that's how it is.  For the best
> > security, we need to minimize the cost of using the systems.
>
> Unfortunately, few things prevent a mediocre programmer writing a quick
> hack that subverts the purpose of software designed to avoid systemic
> failure. Exhibit A: handlebars.js, <http://handlebarsjs.com/> which
> manages to introduce logic into (logic-less) mustache templates <
> http://mustache.github.io/mustache.5.html>.
>
> Having talked to proponents of e.g. Ruby on Rails and JavaScript, I am now
> firmly convinced that hipster programmers are – by and large – not
> interested in systems that work well or are easy to use, but systems that
> are either popular or give a distinction (ego) benefit. Exhibit B:
> “Power users” who complain that any system unfamiliar to them is hard to
> use, yet “grudgingly” accept the countless annoying idiosyncrasies of their
> preferred “solution”. In the end, programming is pop culture.
>
> --
> Nils Dagsson Moskopp // erlehmann
> <http://dieweltistgarnichtso.net>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20131125/c9cd473d/attachment.html>


More information about the langsec-discuss mailing list