Re: software flaws in application architecture

[Adam Beneschan <adambeneschan@aol.com>]

On Friday, September 27, 2013 6:08:09 AM UTC-7, Eryndlia Mavourneen wrote:
> In this article at:
> 
> 
> 
>    http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture#!
> 
> 
> 
> the authors make the claim that languages other than C and Java have just as many flaws (like buffer overflow in C).  Is there a language lawyer who could add a comment to the article regarding Ada?

I wouldn't make too much of this.  You could make some sort of argument that you've counted and there are only 62.12% (or whatever) as many flaws in Ada that could lead to security bugs as there are in C, but it's really beside the point.  Their wording was sloppy.  The overall point, that software has bugs in it that can pose security problems, and their "architectural risk analysis" process can help find those early, is true regardless of what language is used.  Most of the flaws are things that no language can prevent.

One thing that Ada *does* suffer from is deallocation problems, in which an allocated object is deallocated while a pointer to it still exists.  My impression is that this is still the cause of lots of security vulnerabilities, probably more than buffer overflow by now.  Ada doesn't prevent those problems, although it does make it possible to encapsulate things in controlled types to reduce the chance of this occurring (C++ also has features that make this possible).  

But anyway, the article isn't about languages.  I think they're just trying to tell people that you can't stop worrying about security just because you're using Java or some language other than C, and it's a valid point.

                                 -- Adam