The Rise of Software Security 79
Gunkerty Jeb writes with an article in Threatpost. From the article: "Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software ... To get some perspective on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001."
Re:re C and C++ were disasters (Score:4, Insightful)
C and C++ ARE disasters. gets() and >> can NOT be used safely. Period. Tons of functions in the standard libraries have been rewritten with secure variants, to try to make it vaguely possible for developers to keep track of buffer lengths. Still, some APIs screw it up and it's nearly impossible for an intelligent human to get it right every time without static analysis tools to back him up.
So don't use gets() and >> as you said there are a number of alternatives. You can stuff up the API in any language if you aren't careful and everyone has access to static analysis tools. Yes the record is poor but there are no other alternatives to compare it against. Once you build the checking into the language no one will want to use the slower executables it produces.
Open and other BSDs prove you can make a reasonably secure OS in C. People relying on C/C++ to be intrinsically secure is the disaster.