On Mon, Apr 28, 2014 at 09:23:03PM -0500, William Lederer wrote:
Regarding why programmers don't write libraries in common lisp (ignoring what seems to be a screaming terror of the parenthetical, functional world) is that cryptography must be fast, and it must not leak timing information.
A final word here--I spend my days auditing and pen testing programs written in managed languages: C# and Java. None of the errors that bring down systems and lead to breaches in these languages result from bounds checking or buffer overflow issues. None of them are subject to the same kinds of flaws C exposes as evidenced by heartbleed. Nonetheless, there are vulnerabilities.
And I am sure that all remember the vulnerability exposed in Ycombinator which is written in Lisp. Simply writing your stuff in Lisp is not enough.
And that is a point that bears repeating: Whatever programming language you end up using, it will not magically protect you from all errors or mistakes. Depending on its design and other details, it might protect you from _some_ classes of errors (such as shooting yourself in the foot with pointers), but no matter what language, there _will_ still be plenty of beartraps patiently waiting for the unwary. Heck, even something as heavily discipline-and-bondage as SPARK ADA leaves opportunities to screw up big time - just get your design assumptions wrong and you can be toast.
Kind regard, Alex.