![]() ![]() Higher-level languages - Perl, PHP, Ruby - obviate the need to do low-level work to accomplish common tasks, and Rust may address an area where low-level mistakes are easy to make. Part of the seductive power of any new language is an assurance it will provide a better, faster, and more inherently secure solution. Ruby also data tracking from outside world, so dangerous operations based on malicious data read can be warned." But as with PHP, the biggest security issues in Ruby these days involve the way software written with it deals with the outside world - for example, Ruby on Rails, the Web framework, which had to be patched several times in succession in 2013 to deal with remote-code vulnerabilities. Ruby's creator Yukihiro "Matz" Matsumoto had similar feelings about his language: "Ruby checks memory boundary for every access so that we don't have buffer overflow security vulnerability (if Ruby VM itself does not have )," he wrote in an email. He did point out that none of this obviates how PHP can be, and is, used unsafely: "It of course doesn't make PHP code immune to potential security issues – but they're typically applicative, for example, relying on end-user data and plumbing it into database queries or filesystem operations without sanitizing it first." Such security issues are typically exposed when PHP code makes use of system-level calls, as was hypothesized with the recent Ghost vulnerability. Zeev Suraski, CTO of Zend, makers of various PHP development tools and solutions, defended PHP as "protected from a very big class of potential vulnerabilities, including vulnerabilities similar to Heartbleed." Because PHP doesn't allow the programmer to perform her own memory management, he noted, developers can never read or write into memory. Certainly the lesson of the recent past is that security is always going to be an arms race, and deploying software that is not field-upgradeable is just an exploit waiting to happen, regardless of the language used." PHP ![]() "We think it's really important to distinguish maintenance upgrades on stable versions from functional upgrades to more modern releases. " cares about older versions enough that it is willing to issue security patches for them without forcing people to upgrade," he wrote. Wall also noted that the version of the language and its interpreter or compiler also matter, especially as time and circumstance march on. Perl 5 also has a tainting mechanism that catches most accidental use of untrusted string data as input to dangerous operations." "In Perl," he stated in an email, "all strings and arrays know their own length, so you can't get the tail ends of old strings showing up by accident in new strings without working at it really hard. Larry Wall, the inventor of Perl - set to debut its long-awaited sixth version later this year - asserted that while "it's possible to write insecure code in any language," the construction of the language is a factor. Rust, the Mozilla-developed language that recently hit 1.0, emphasizes safety, a potentially large selling point for a language designed for systems-level programming.īut what does it mean to say that a language is "safe" - even if you're not using it for low-level functions? How much of that safety is the language itself, and how much of it is the programmer (as one blogger noted when attempting to test how the Heartbleed vulnerability might surface in Rust)? I put that question to the folks responsible for developing some of the common languages in use today. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |