[Haskell-cafe] software correctness ... can we in FPL step up to the plate??

[Tim Newsham]

> http://www.businessweek.com/the_thread/techbeat/archives/2009/01/nsa_dhs_industr.html?link_position=link3
> ...
>
> I think that http://www.galois.com is already doing as stated in the
> article/ ...... I sincerely think there is a segway for Haskell here with
> strong and static type checking..

Strong static type checking is a very useful tool, but there's a lot more 
to securing against the 25 most common errors.  For example, you can use 
the type system to ensure that output encoding is always applied to
user-provided data, but you must first be aware of this issue and
write libraries that enforce this and make use of these libraries a
requirement in applications or application frameworks.  Some problems
such as cross-site request forgery are best addressed by the application
framework, so framework authors must be aware of these issues and
implement protections for the issue.  This usually involves the use
of some cryptographic primitives, and the type system doesn't do
anything to make sure you get that right.

Security issues are (mostly) a subset of correctness issues.  Haskell 
provides some tools to help you make sure your program is correct, but 
there are a lot of ways to write incorrect software despite the help
these tools provide.  These tools are very valuable and should be
sold to the wider developer community, but they are no silver bullet.

> Vasili

Tim Newsham
http://www.thenewsh.com/~newsham/