19 Feb 10
Originally posted by zeeblebotAnd I thought 'dangerous' meant 'the program might cause grievous bodily harm', when what you really mean is 'insecure', which for many of us programmers doesn't really matter as we are not storing particularly sensitive data, and the people who might want our data simply don't have the skills to take advantage of buffer overflows and SQL injection etc.
http://cwe.mitre.org/top25/index.html
20 Feb 10
Originally posted by twhiteheadIf you're processing millions of records and performance is an issue, how much turnaround slowdown are you likely to get because of giving detailed care to buffer overflow and "SQL injection" ?
And I thought 'dangerous' meant 'the program might cause grievous bodily harm', when what you really mean is 'insecure', which for many of us programmers doesn't really matter as we are not storing particularly sensitive data, and the people who might want our data simply don't have the skills to take advantage of buffer overflows and SQL injection etc.
21 Feb 10
2 edits
Originally posted by jaywillYou are probably right that increase security results in a performance hit. However I suspect that for many of us the cost hit in terms of programmer time is more significant.
If you're processing millions of records and performance is an issue, how much turnaround slowdown are you likely to get because of giving detailed care to buffer overflow and "SQL injection" ?
This whole discussion reminds me of the Windows / Linux situation.
Linux was very successful on servers because of its security.
Windows was successful on the desktop because of its ease of use and backward compatibility - both of which resulted in poor security.
Microsoft spent lots of effort trying to make Windows more secure resulting in it being harder to use and more annoying.
The lesson for me is that though security is important, you can over do it in situations where it is not really required.
The number one cause of virus' in my part of the world is all due to the fact that Windows has auto-play turned on for flash drive by default. If they simply sent out a patch that turned that off then that would eliminate 90% of virus' around here. It can be turned off manually but not many people know that.
22 Feb 10
1 edit
Originally posted by twhiteheadTrue. Although in most languages protecting yourself against injection attacks is just a matter of "doing it properly". It's not really any more difficult or slower.
You are probably right that increase security results in a performance hit. However I suspect that for many of us the cost hit in terms of programmer time is more significant.
And to follow up the earlier comment - I'd be hard pressed to think of an application processing millions of records where performance is an issue and security isn't.