Which programming language is more powerful for system security?

chopsticks

In today's arena, which programming is more powerful for system/computer security? Is C, C++, C#, or Java?

My limited understanding about program created by C & C++ are platform/OSes independent but C# & Java each needs to have their Run-Time Environment installed before their created programs can be run.

On different topic, installing the respective run-time environment can have security concern and bigger attack surface, hence we need constant patches regularly (eg. exploit: Java/CVE -2012 – 0507?). So is it a good idea to have them installed?

alxx

For which system ?

pc windows ,pc linux , pc mac , network systems ?

Nothing is fully secure , you can only reduce/minimise the risk.

If you need a language run time install it but keep it updated and patched along with the os.

Just c ,c++, c# and java ?
What about python, erlang, fortran, javascript, vbe/vbs(in ms office) , dot net runtime, cobal (still used in some business systems in insurance companies and banks).

A lot of stuff gets installed as part of program installs without people really knowing.

Personally I prefer python for general programming and pen testing. Look up scapy , pypcap etc
Dirk Loss: Python tools for penetration testers

NinjaBoy

It also boils down to how the program is written, regardless of what language.

Ch@rl!3m0ng

alxx wrote: »

For which system ?

pc windows ,pc linux , pc mac , network systems ?

Nothing is fully secure , you can only reduce/minimise the risk.

If you need a language run time install it but keep it updated and patched along with the os.

Just c ,c++, c# and java ?
What about python, erlang, fortran, javascript, vbe/vbs(in ms office) , dot net runtime, cobal (still used in some business systems in insurance companies and banks).

A lot of stuff gets installed as part of program installs without people really knowing.

Personally I prefer python for general programming and pen testing. Look up scapy , pypcap etc
Dirk Loss: Python tools for penetration testers

+1
And if like me your a big kid at heart some of the commands and switches will meake you smile like the spidermonkey stuff

Webmaster

chopsticks wrote:

which programming is more powerful for system/computer security?

It's relatively easier to switch between/to different programming languages than to learn programming in the first place so if you are looking to start with programming I'd just pick the one that feels most intuitive. Which language is eventually "more powerful" is very general and depends on many factors including the programmer's ability.

If you are looking to develop security tools on Windows "and" you are just getting started with programming, I would start with C#. Easier than C++, more custom network related libs etc than VB, and with the availability of the user-friendly free Visual Studio Express editions I would choose it over Java.

CEHwanabe

good question, wana see other answers

paul78

CEHwanabe wrote: »

good question, wana see other answers

It's really not any more complicated than NinjaBoy stated - programming languages are tools - it's about how you use it and what you are trying to accomplish.

Pash

Webmaster wrote: »

It's relatively easier to switch between/to different programming languages than to learn programming in the first place so if you are looking to start with programming I'd just pick the one that feels most intuitive. Which language is eventually "more powerful" is very general and depends on many factors including the programmer's ability.

If you are looking to develop security tools on Windows "and" you are just getting started with programming, I would start with C#. Easier than C++, more custom network related libs etc than VB, and with the availability of the user-friendly free Visual Studio Express editions I would choose it over Java.

Johan has put this perfectly. Using C# is a smart choice, its easy to learn and its a higher level itteration of C++/C, it looks a lot like Java as well so you could move between the two easily enough and you would have full access to all .net libraries. Rob miles provides an awesome free resource located here. Just post back if you need further help

chopsticks

Thank you, my friends, for recommending C#. I just researched and saw the usefulness and power of program created by C#. I totally agree with you it is how we write our codes than the choice of the programming language we use. C# looks interesting and I shall try it out. Many thanks to everyone who share your ideas and opinion on this topic.

DevilWAH

I also agree, as a step on from "scripting" C# and indeed all the .net languages offer a great step in to "real" programming. Once you have the likes of c# underyour belt you will be well placed to step in to any language you chose, and a good understanding of the strengths and weaknesses of the languages out there.

Edit: and why did i not know about the yellow book before!!

alxx

Can't agree with some of the comments on c#. I do agree with Johan .

C# will tend to limit you to windows and just to software (there is embedded c# but its not widely used)

Real programming ? To me real programming is bare to the metal programming without an os to get in the way
like microcontrollers

Depends what you want to do.

rough/very general description
If you want to do embedded systems or hardware interfacing, c is the main language.
C and c++ for operating systems/realtime.
Fortran or c++ or matlab for scientific computing and analysis.
For fpgas vhdl and verilog (and tcl for scripting the tools)
c# or java for business software
quick prototyping python

Also worth learning sql and how to do it properly - way to easy to do sql badly/in secure

Main thing regardless of language is how to break a problem down into blocks and again and again into small logical steps. Learn how to flow chart and how to write psuedo code.

Design your program first then write the code -writing code first is the error/trap most programmers fall into, its a bad practise.

Then when coding write the comments first describing how that function or block works or is supposed to work then write the code.

Learn how to properly test and debug your code not just depending on the compiler to find errors. Most compilers can't find logical errors.

Learn how to use a debugger and look at test driven development.
How to write unit tests and test cases

chopsticks

alxx wrote: »

If you want to do embedded systems or hardware interfacing, c is the main language.

Thanks alxx for inputting your comments. I had thought Assembly Language would do a terrific job for this?

jdancer

chopsticks wrote: »

Thanks alxx for inputting your comments. I had thought Assembly Language would do a terrific job for this?

You can go with assembly language but you will not gain portability. The code will be restricted to that particular processor.

I got started with C under BSD UNIX but have since moved on to C#.NET.

paul78

chopsticks wrote: »

I had thought Assembly Language would do a terrific job for this?

Although, you can use assembly to write bootstrap software for an embedded system. It's more common to use a C cross-compiler since C will have better tools for system development of embedded systems. When you need to gain access to hardware on the embedded system, most if not all C compilers will allow you to add assembly in the code.

My earlier comment about programming languages wasn't intended to be flippant. The choice of language is really about what you are trying to do.

Is there something specific that you are trying to learn or perform?

For example,

1) if you are referring to learning a language so you can write web application security test tools - usually a language with libraries that has APIs to manipulate HTTP/S and handle HTML is a better choice - which is one reason why you see a lot of those tools written in Perl and Phyton.

2) If you need to write a GUI with cross-platform support, you may see Java used or even C/C++ with GTK libraries.

3) If a robust Windows only-platform with high-level API's only is needed - C# is a good choice.

4) If you are doing modeling for finance or something esotoric like oil exploration - you may chose to use Matlab or one of those types of specialized languages.

Pash

Hey alxx, you make some fair and helpful points but maybe I can assist with some of your information.

alxx wrote: »

Can't agree with some of the comments on c#. I do agree with Johan .

C# will tend to limit you to windows and just to software (there is embedded c# but its not widely used)

Take a look at mono project here. It is strange but I got my first introduction to C# from a Linux format special coding edition extract You keep selling C# as Windows only, its not entirely correct.

alxx wrote: »

Real programming ? To me real programming is bare to the metal programming without an os to get in the way
like microcontrollers

The OP has clearly done some research on programming languages and that's a good idea to understand what is widely used out there. Unfortunately, he/she doesn't mention what level of experience they have in scripting/programming. As you know, C# is relatively easy to pick up, it covers OOP/OOD requirements and it has access to .NET. I think its a great start point to move to the lower level iterations of C and to Java/Python etc. It's a little subjective to mention real programming being bare metal programming only, many developers don't even care what assembly is BUT many hardware developers obviously do.

alxx wrote: »

Depends what you want to do.

rough/very general description
If you want to do embedded systems or hardware interfacing, c is the main language.
C and c++ for operating systems/realtime.
Fortran or c++ or matlab for scientific computing and analysis.
For fpgas vhdl and verilog (and tcl for scripting the tools)
c# or java for business software
quick prototyping python

Also worth learning sql and how to do it properly - way to easy to do sql badly/in secure

Yup this is good summary in all fairness. I originally thought the OP wanted to write a security/hacking application but I can see there is no mention of the type of application/project to be undertaken. If the OP is interested in security as a subject why not write a security/hacking app that does OS fingerprinting (you seem to up to date on your cve's, which is textbook, good job)? You could get the TCPwindowsize of your targets and do profiling. Maybe there is even a way to integrate a tool like nmap into your app

alxx wrote: »

Main thing regardless of language is how to break a problem down into blocks and again and again into small logical steps. Learn how to flow chart and how to write psuedo code.

Design your program first then write the code -writing code first is the error/trap most programmers fall into, its a bad practise.

Then when coding write the comments first describing how that function or block works or is supposed to work then write the code.

Learn how to properly test and debug your code not just depending on the compiler to find errors. Most compilers can't find logical errors.

Learn how to use a debugger and look at test driven development.
How to write unit tests and test cases

Good advice again.

C# was just a recommendation based on the fact to build an application you have access to .NET and it will introduce you to every OOP concept you need to worry about. You don't need to reinvent the wheel everytime you want to build something up and thats always a good thing in my eyes. But again, its a suggestion.

Alxx mentioned python as well, always a good choice with thousands of ready built libraries. If you have an android phone/tablet you can even do python compiling on the move, this is all very appealing if you have long train/bus rides and want to learn on the move.

Good Luck!

DevilWAH

alxx wrote: »

Real programming ? To me real programming is bare to the metal programming without an os to get in the way
like microcontrollers

I really don't think "real programming" has any thing to do with the language you are using.

you can be a bad programmer in Assembly or a great programmer in VBscript. The difference between a good or bad programmer is not what language they use, but what they understand they are doing.

A good programmer may not work on bare mettle system, but that does not mean they don't have a clear understanding about how there application will run from the User interface, down through the OS and in to the hard ware.

In my view there is no point in starting with a language at the extremes, Assembly vs VBscript. Both of these are niche players and very focused to specific types of projects.

The more main line languages, such as C# or indeed if you want to take the plunge c++ will give a much more holistic view of the strengths / weaknesses, positives and negatives of all programming languages. by the time you have mastered one of these main stream languages you will be in a much better position to chose the correct language for what you need.

the .net languages offer a "easier" way in to windows based programming (yes not only windows but this is where Microsoft aim them), C++ s of course more flexible and if you know you want to work out side of windows and want portable code from the start then its a good choice.

But in my view honestly if you want to create app based around security you should not be needing to ask what language to use, to be sure of security you need to know the language inside and out and understand what the code does at every level. Good programmers don't just code in one language but a number of them, picking the right one for the right job.

With this in mind I would always suggest start with a language with a broad range of applications, use it to under stand how programming works and then you will be in good position to look at other languages to see which ones are right for you.

RobertKaucher

Every language has certain things that it is very good at doing and other things that it struggles with. If this were not the case we would not have any need whatsoever for different languages. Perl and Python are very good at parsing text and strings for example and C# does not in any way compare to those languages in its abilities to work with strings. Any application needs to consider this and as yet there is no general purpose "security" language, so whatever you are doing needs to be considered more generically.

Are you trying to crawl a ton of file shares searching for sensitive information? Python.
Are you trying to do some sort of social engineering of users to get their passwords? Maybe Flash or JavaScript.

Any discussion of what a "real programmer" is or is not is completely subjective a will verge on nothing useful except a flame war or at it's best to do this:

alxx

You guys ignored the smiley face.:D


I wasn't suggesting the op learn asm.

assembly is fine for small micros like pic 10f or 16f (nice small instruction set of 35 instructions)
or 8 bit avr but in most cases you are better off using c.
Then just use asm where you need it for speed - microcontrollers still.
Less code to write (no for or while loops in asm)

Problem is there are to many different microcontrollers and to learn the asm for each one and remember it takes to long.

Good thing using small micros and asm makes you learn to be economical with ram and register use.

I know of and have used mono a bit on linux and mac but a majority of c# is on windows especially commercial work.

I prefer working with microcontrollers and fpgas - thats what my work has mostly been for the last five years. Currently working on/with fpgas in both my jobs (pcie and optical networking in one and simple interfacing in the other). Have also done a bit on imaging processing on pc's and dsps.

KenC

alxx wrote: »

Learn how to properly test and debug your code not just depending on the compiler to find errors. Most compilers can't find logical errors.

Learn how to use a debugger and look at test driven development.
How to write unit tests and test cases

alxx, I'd appreciate any pointers, templates, guidelines or resources on this very area. Anything! We have a system in place in work that I would like to move completely away from paper based (only a small part in the overall scheme of what is done there). I see it as a perfect one-person mini-project that I could use to tie-in all stages of the system lifecycle, and apply it to a work situation. Thanks.

chopsticks

Thanks to the kind people who have replied in this thread, I pick up beginner books & start learning C-Sharp(yes, I pronounced it as C-Hash before I read the books). As I read, it becomes very interesting to me there are such things as, and of many fragmented pieces of information on .NET platform and Microsoft Windows(eg, of the FCL & CLR; of the older way of doing things like the 16-bit API, the W32 API, COM+, etc). Another interesting thing to know is Microsoft has developed a very effective scripting language - The Powershell, which can also work with C-Sharp as an integrated solution. There are so much to learn. Very very interesting really.