From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Thread: 103376,21960280f1d61e84
X-Google-Attributes: gid103376,public
X-Google-Language: ENGLISH,ASCII-7-bit
Newsgroups: comp.lang.ada
Subject: Re: How come Ada isn't more popular?
References: <1169531612.200010.153120@38g2000cwa.googlegroups.com>
 <uy7nucb8e.fsf@stephe-leake.org>
 <WYtth.318145$FQ1.108931@attbi_s71>
 <Z-ydnRmlYPSPEyvYnZ2dnUVZ_tmknZ2d@rcn.net>
 <uTDth.1154950$084.48774@attbi_s22> <ep7a5p$vf0$1@cernne03.cern.ch>
 <ZgPth.1155700$084.14435@attbi_s22>
 <rftzyg6rdh.fsf@hod.lan.m-e-leypold.de> <epccdf$vma$1@cernne03.cern.ch>
 <jatuh.367601$1i1.57233@attbi_s72>
From: Markus E Leypold
 <development-2006-8ecbb5cc8aREMOVETHIS@ANDTHATm-e-leypold.de>
Organization: N/A
Date: Fri, 26 Jan 2007 23:43:32 +0100
Message-ID: <bq1wlhpfxn.fsf@hod.lan.m-e-leypold.de>
User-Agent: Some cool user agent (SCUG)
Cancel-Lock: sha1:LEL3jYqTabHP0ZYPXGZRuymXAqU=
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
NNTP-Posting-Host: 88.72.215.112
X-Trace: news.arcor-ip.de 1169851130 88.72.215.112 (26 Jan 2007 23:38:50
 +0200)
X-Complaints-To: abuse@arcor-ip.de
Path: 
 g2news2.google.com!news2.google.com!news1.google.com!news.maxwell.syr.edu!newsfeed.vmunix.org!newsfeed01.sul.t-online.de!t-online.de!newsfeed.arcor-ip.de!news.arcor-ip.de!not-for-mail
Xref: g2news2.google.com comp.lang.ada:8627
Date: 2007-01-26T23:43:32+01:00
List-Id: <comp.lang.ada>


"Jeffrey R. Carter" <jrcarter@acm.org> writes:

> Maciej Sobczak wrote:
>> Just changing the implementation language from C to whatever else
>> (Ada including) can rule out only one (buffer overflows) of the top
>> 10 security flaws - and even that not always (especially when
>> binding to some C code is used, where the buffer overflow can happen
>> on the language border).
>
> I recall reading that buffer overflows account for about 50% of
> actually exploited vulnerabilities in networking SW. 

> I'm not sure if that's still true when one considers "web
> applications". Also, it documents exploitation, not existence.

I don't think it's true any more. Bugs that have to do with processing
unchecked user input (esp. quoting and unquoting to/from html and
SQL-statements) in "scripted" web applications seem to be the majority
now. Of course buffer overflow is still a concern (i.e. in gpg or mail
processing application) but it's not restricted to networking software
since user very often process foreign data/"documents". Se, in
example, the resent flurry of bugs in MS word and PDF viewers (and
even those are often a bit more complicated than simple overflow as
the WMF-bug demonstrates).

I haven't any quantitative data though, but one can try to count the
security alerts in the full disclosure list or relevant security
forums. My impression: Buffer overflow still happens, but is not the
main problem any more. The main problem IMHO are bad software
engineers / programmers that create monolithic applications (no
modules, no abstraction boundaries) without contracts.

Regards -- Markus