• 420stalin69 [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Unlike your Java program amirite.

    The benefit of java is that you didn’t write the security holes in your software.

    • PaX [comrade/them, they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      edit-2
      1 year ago

      Programmers can trust language security features too much…

      Of course, they’re nice to have and really can make things easier to implement securely but it’s still very easy to introduce security problems or bugs into any code. This is just an unsolvable problem of writing imperative code. All imperative code will reliably have memory leaks (even in Java!) and security holes because no compiler can check to see if you thought of everything.

      And large and complex compilers/interpreters with these security features can end up introducing their own security problems or bugs in the process of implementing them.

      I’m just tired of people entirely dismissing languages like C because they don’t have these features. Especially when the operating systems their code runs on and their languages may even be implemented in C!

      • frezik@midwest.social
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Buffer overflows were last seen on the OWASP top 10 list in 2004. Favoring of anything else over C for most things is a pretty obvious reason why. A language change destroyed an entire class of bugs.

      • abraxas@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It’s a “tool for the job” game. I don’t trust a junior developer to write a login system. I’ve found security flaws in login systems written by senior developers who “know what they’re doing TM”. Unless I’m the expert in a given domain, it’s better to trust something written by those experts.

        For the record (since it’s fixed anyway), I discovered a common login timing vulnerability on one of our production systems that had been in place for nearly 15 years. Luckily we didn’t have enough traffic for anyone to notice it before me.

    • abraxas@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I don’t trust Masterlock, so I’m gonna make my own lock out of duct tape, then tape scissors to the door to use as the key.