@article {158, title = {Language Insecurity}, journal = {Open Source Business Resource}, year = {2008}, month = {06/2008}, publisher = {Talent First Network}, type = {Articles}, address = {Ottawa}, abstract = {Developing reliable and secure software has become a challenging task, mainly because of the unmanageable complexity of the software systems we build today. Software flaws have many causes, but our observations show that they mostly come from two broad sources: i) design, such as a malicious or unintentional backdoor; and ii) implementation, such as a buffer overflow. To address these problems, our research group at Defence Research and Development Canada (DRDC) Valcartier first worked on design issues. A prototype of a UML design verifier was built. Our approach was successful, but we faced two difficulties: i) specifying interesting security properties at the design level; and ii) scalability of the verification process. Building on this experience, we studied design patterns for the implementation of security mechanisms. The output was a security design pattern catalog, available from the authors, that can help software architects choose mature and proven designs instead of constantly trying to reinvent the wheel. This paper addresses the implementation issues from our evaluation of currently available automatic source code verifiers that search for program sanity and security bugs. From this evaluation, it becomes clear that the choice of programming language to use when starting an open source project can have many important consequences on security, maintainability, reliability, speed of development, and collaboration. As a corollary, software quality is largely dependent on the adequacy of the programming language with respect to the desired properties of the system developed. Therefore, the adoption of open source software (OSS) should consider the programming language that was used. }, issn = {1913-6102}, url = {http://timreview.ca/article/158}, author = {Frederic Michaud and Frederic Painchaud} }