It seems like this exchange is focused on whether bug / flaw classes can be applied to "All" programming languages or not. Isn't the question at hand which languages have the property "Subject to bug / flaw class XXX" (true | false), and not whether you can find one or more class that fits the "All" category?
What we need is a coherent dataset showing the languages that have been assessed, and the classes of bugs or flaws each is subject to. Then I could search that dataset to find the listing of "all languages that are / are not subject to security bug class XXXX" when doing assessments or deciding on my coding language. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ljknews Sent: Tuesday, February 05, 2008 8:37 PM To: sc-l@securecoding.org Subject: Re: [SC-L] Programming language comparison? At 4:44 PM -0500 2/5/08, Steven M. Christey wrote: > On Mon, 4 Feb 2008, ljknews wrote: > >> > ("%99999999s" to fill up disk or memory, anybody?), so it's marked with >> > "All" and it's not in the C-specific view, even though there's a heavy >> > concentration of format strings in C/C++. >> >> It is marked as "All" ? >> >> What is the construct in Ada that has such a risk ? > > Hmmmm, I don't see any, but then again I don't know Ada. Is there no > equivalent to format strings in Ada? No library support for it? Not that I know of, but if you can specify a Pascal equivalent I might be able to see what you are aiming at. Have you evaluated Pascal for this defect that is present in "All" languages ? > Your question actually highlights the point I was trying to make - in CWE, > we don't yet have a way of specifying language families, such as "any > language that directly supports format strings," or "any language with > dynamic evaluation." Your choice of terminology is yours to make, only within the bounds of reasonable use of English. In English there is a distinct difference between the terms ALL and SOME, between the terms ALL and MANY and even between the terms ALL and MOST. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
