Are We Ready For Secure Languages?July 2016
Language designers and developers want better ways to write good code — languages designed with simpler, more powerful abstractions accessible to a larger community of developers. However, language design does not seem to take into account security, leaving developers with the onerous task of writing attack-proof code. In 20 years, we have gone from 25 reported vulnerabilities to 6,883 vulnerabilities. We see some of the most common vulnerabilities happening in commonly used software — cross-site scripting, SQL injections, and buffer overflows. Attacks are becoming sophisticated, often exploitation three or four weaknesses; making it harder for developers to reason about the source of the problem.
I’ll overview some recent attacks and argue our languages must take security seriously. Languages need security-oriented constructs, and compiler must let developers know when there is a problem with their code. We need to empower developers with the concept of “security for the masses” by making available languages that do not necessarily require an expert in order to determine whether the code being written is vulnerable to attack or not.
Authors: Cristina Cifuentes