posted on Saturday, February 05, 2005 3:27 PM
by
anoras
Do your homework Mr. Gosling
Sun CTO James Gosling described Microsoft’s decision to support C and C++ in the .NET CLR as the “biggest and most offensive mistake that they could have made” in a speech at an Australian developers event earlier this week. Gosling based his statement on that the C and C++ languages allow arbitrary casting, pointer usage and other “unsafe” features. It isn’t shocking that Suns CTO attacks their fiercest competitor in a speech, but he should do his homework more carefully to come across as credible. I know many Java developers, and just as many .NET developers know Java, most of them they are .NET literates.
Gosling’s assumption is that having a programming language which allows programmers to do unsafe things makes all code hazardous. This is wrong. The key cause of security holes is that many programmers aren’t security savvy. Although you seldom get buffer overruns in managed environments, you can create gaping security holes, such as cross site scripting and SQL injection vulnerabilities, in software developed with both Java and C#. Managed code is a safe-guard against unforeseen side effects, but it’s not a panacea for unsecured code.
A key feature in Microsoft Visual C++ 2005, Gosling “forgot about”, is Secure CRT. C++ now has an entire set of secure alternatives to the old C library functions such as strcpy. So the decision to still support C and C++ in Visual Studio 2005 is far from security vulnerability, it’s an effort to make C++ programming more secure!
Most .NET developers stick to managed code. I can only recollect having used the unsafe keyword a couple of times. While managed environments constantly break new ground, there are scenarios where the low-level C or C++ is the only option for performance, memory usage or other reasons. In such a scenario James Gosling would probably tell you that “this cannot be done”. The rest of us, Java or .NET developer alike, can reach for our trusty C++ compiler and get things done. Thanks to the efforts of Microsoft’s library team writing safe C++ code is easier than ever. This is probably why Gosling is so scared.