undefined | Better HN

0 pointsnanolith11y ago0 comments

Let me assure you that this is true regardless of language or platform.

I've done vulnerability analysis on codebases written in C++, Java, C#, Objective C, Ruby, and Python. I've found bugs in each of these platforms. The biggest differentiator I found was experience. More experienced software developers, on average, made fewer bugs resulting in vulnerabilities than less experienced software developers.

There is no magic language or platform that makes writing secure software easy. There are tools, techniques, and training that can help. But, these can only help. Writing quality software -- of which security is an important part -- is a difficult process that requires a lot of experience and discipline.

0 comments

3 comments · 1 top-level

MichaelGG11y ago· 2 in thread

Please point to the CVEs for the plethora of remote code execution bugs in apps written in Java and C#, for instance.

I went through every single security bulletin MS published over the past couple years. The vast majority of the serious ones were 100% due to memory safety issues. The biggest exception was due to trying to sandbox arbitrary code (their .NET equivalent to Java applets).

If you have some counter-evidence, showing C to be even remotely as safe as, say, Java, please step forward. If you are actually saying "Well I found a lot of SQL injection bugs in code written in Java", that's a different issue. And I'm sure you're aware of it.

There's probably a name for the use of rhetoric of the form "Nothing's perfect. Therefore X and Y are just as good, since they are both imperfect."

nanolithOP11y ago

Luckily, I don't have to respond by your goalposts.

You are hammering on a single class of security vulnerability out of hundreds of potential vulnerabilities. How does Rust prevent a confused deputy vulnerability? How about SQL Injection? Okay... well, what about all of the potential side channel attacks?

People in higher level languages tend to believe that the relative safety of their position means that they have to be less vigilant about vulnerabilities. That is often what I have found. The number of vulnerabilities overall were similar, but the type of vulnerabilities were different. Because there was a completely mistaken belief that these platforms were "more secure", security practices were often sloppy. Most of these vulnerabilities were at the application level. So, looking for Microsoft CVEs isn't going to help you.

The C++ code bases tended to have more senior level people working on them, who were more careful about both defects and vulnerabilities. Code bases in higher level languages, in general, had more junior level people working on them. Largely, the number of vulnerabilities were similar.

Again, I'm speaking of my own experience. But, I think that many researchers in the field would give you a similar story. I'm always wary of people promising silver bullets over hard work.

MichaelGG11y ago

So by your own logic, if experienced C++ developers wrote in, say, Rust, they would not make mistakes like SQL injection, and they wouldn't be making all the memory-safety mistakes, either.

Edit: If your overall point is that systems are laughably insecure, and most app devs just leave gigantic holes open, sure, great. But let's not compound that by making their OSes and low-level network stuff run arbitrary code for anyone on the Internet.

1 more reply

j / k navigate · click thread line to collapse