[kwlug-disc] Security arguments

unsolicited unsolicited at swiz.ca
Sun Sep 27 13:42:20 EDT 2009



Raul Suarez wrote, On 09/23/2009 2:25 PM:
.
.
.
> I agree with Chris, for professional development, scripting has its
> place in the admin room, but not in the front facing applications.
> You can do it, some may even do it successfully but a solid
> compiled language will save you many headaches.

This all makes me remember, in a former life as a (QNX / On-Screen) C 
programmer, how I was able to get them to buy lint for me. Given the 
countless hours it saved me, I couldn't have imaged anyone not running 
it - e.g. I don't know how many times it pointed out I was trying to 
printf an int as a string, and vice versa. For each catch, there was a 
compile, test, discover, correct, cycle prevented.

	Strangely, I could never get the boss (the other C programmer) to use 
it. Heck, he wouldn't use make. No matter how many times I showed him 
how it caught things, even when debugging together. Never could get 
him to run the debugger either, but ...


Lint is essentially an over-anxious c pre-processor. Is there not an 
equivalent for these scripted languages? Let alone do not many 
'compile' down to pseudo-code (intermediary language) wherein the 
compiler checks these thread author's rave about are done?


For that matter, where are these scripting language's secure 
programming guidelines and coding best practices, and why do these 
scripting languages not enforce such?

And does the answer to that really explain why good security 
programming practices are not followed more universally?


Finally, if scripting languages = bad (being over-simplistic here), 
what are the equivalent ide / compiled languages, and why are they not 
used more prevalently? If a scripting language can be learned / 
discovered ...



More information about the kwlug-disc_kwlug.org mailing list