[Owasp-leaders] Generating Passwords Hopw

Andrea Cogliati andrea.cogliati at owasp.org
Wed Jan 21 10:52:00 EST 2009


On Jan 21, 2009, at 10:33 AM, Stephen de Vries wrote:

> I think trying to get web security issues addressed in the servlet
> spec is aiming at too low a level.  You might have better luck with
> web frameworks projects instead.  Similarly with Ruby, the language
> itself is too low level, but getting security features added to the
> Rails framework might be more feasible.

I beg to differ. One of the issues with high level languages (like  
Java, .NET & Ruby) is that the virtual machine/framework add a layer  
of abstraction between the application and the OS. Developers lose  
control of the low level details of memory management, which is good  
in several circumstances as that avoids memory leaking, prevents  
buffer overflows and so on, but also might pose a security risk. What  
if I want to clear sensitive data from memory as soon as I'm finished  
dealing with them? Or what if I want to prevent sensitive data to be  
swapped to disk (unless it's encrypted, maybe)? The language (and the  
framework) must allow some form of low level control on memory in  
specific circumstances. And, of course, with great power comes great  
responsibility.

Andrea




More information about the OWASP-Leaders mailing list