Re: Does Ada need a 'secure coding standard' as well?

["Nasser M. Abbasi" <nma@12000.org>]

On 5/28/2011 12:06 PM, Yannick Duchêne (Hibou57) wrote:

>
> Except that, there already exist to some Ada subset, or profiles. One of
> the most common is the one which is required with SPARK. Here again, no
> need to setup some rules and ask the authors to follow these rules and
> nothing else, as these are already checked by the SPARK Checker.
>

That was my initial reaction to when I saw those rules,
is that a well designed secure language, would not need such rules
(or much of then any them) for a programmer to remember, since
the compiler will check and reject code written which is 'not secure'
as it will be something not allowed at the language level itself.

But when I said that in the Java newsgroup I got screamed at :)

Most of the rules seem to target handling strings, where,
as one would expect, most of the security problems can sneak in.

The funny thing, is that Java 7 just added a switch on string  !

http://www.vineetmanohar.com/2011/03/new-java-7-feature-string-in-switch-support/

So, may be now more rules needs to be added for the programmer
to remember when using this new feature added by the language,
so they can use it in 'secure' way.

--Nasser