My final paper for my masters degree was on how some vulnerabilities manifest themselves, or fail to manifest, in different programming languages. I included C, C++, Java, Perl, and Standard ML. The title of the paper is "Implications of Programming Language Selection On the Construction of Secure Software Systems." You can find a link to it at my work web page: http://www.isi.edu/~cward/papers/LMU/index.html.
One of the points I was trying to make in the paper is that the security attributes of a programming language were also important to take into consideration when selecting a language for a particular task. I'm glad that you're incorporating this into your process. Craig At 1:16 PM +0100 2/4/08, Vincent Verhagen wrote: >Hi all, > >I was referred to this list by a fellow security consultant for this >specific question. Please forgive me if this is the wrong forum :) > >We're in the process of creating a kind of handbook for third parties >that develop web applications for us. >One (quite extensive, I'm happy to report) chapter will be about >security and for that I'm looking for a comparison of common >programming/scripting languages (PHP, C variants, JAVA, etc) their >specific risks and why or why not to use them. >Has anyone created such an overview I could use as a basis to work from? > >Thanks in advance! > >Vincent Verhagen >Simac ICT Netherlands -- Internet: [EMAIL PROTECTED] "If a program has not been specified, it cannot be incorrect; it can only be surprising." (Young, Boebert, and Kain) _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________