[plt-scheme] Why do folks implement statically typed languages?

From: Noel Welsh (noelwelsh at gmail.com)
Date: Thu May 31 11:46:52 EDT 2007

Just came across this:


It lists the top 3 errors causing security holes.  They are:

1. Using unvalidated user input.
2. Buffer overflow
3. "Handling integers incorrectly"

The former could be solved with a static type system.  It can also be
addressed with dynamic checks with the usual tradeoffs.

The second concerns safety and is unrelated to types.

I don't really understand the third, but it seems like they're
conflating issues with integer overflow and unsafe casts.  The former
is an implementation property.  The later is an unsound type system.

I think this is weak evidence that the presence or absence of a static
type system (of the sound, er, type) is unrelated to major security
holes.  The evidence is weak due to unsophisticated PLs used to
implement the vast majority of the programs out there, and the
inability to account for programming style (you can program Fortran in
any language, or so the saying goes).


Posted on the users mailing list.