The natural effects of performance programming versus security

It’s been fun to follow John Carmack – the programming hero of my youth – on Twitter. This from today:

So there is the money quote: “Lots of C/C++ code should be Java/C#”.

Why? It’s slower, it’s garbage collected, it’s tied to a framework, it’s….. what do all of these things do? They make it a lot harder to actually hack!

Look at just about every single Flash or Acrobat or IE vulnerability that comes out month after month. Many of them involve things that are ONLY possible in C – unintentional code execution, buffer overflows, etc.

So C is great, learn C, but then don’t use it for everything thinking you are hot stuff. The core loop of that database driver? Keep it hot. All those GUI elements? How about you keep them safe and boring instead? It may sound kind of crazy to call .Net or Java “safe”, but this really is often the case.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>