SoylentNews is people
SoylentNews
The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.
Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.
In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."
(Score: -1, Flamebait) by Anonymous Coward on Thursday February 28 2019, @05:19PM (6 children)
If everyone coding in C/C++/D/what have you switched to Rust, software would be much safer and better.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @05:31PM (2 children)
Ada? Designed for military applications--life critical systems...
(Score: 1) by redneckmother on Thursday February 28 2019, @06:34PM (1 child)
I was surprised that Ada didn't take off, since DOD was pushing it hard. It is (was?) a decent language. Loved the strong typing, exception handling, and syntax.
Mas cerveza por favor.
(Score: 2) by DannyB on Thursday February 28 2019, @07:34PM
I first ran into ADA in college. I was told by the grown ups that I would do good to learn ADA because it would soon be the ONLY language because of the DOD.
I simply could not believe that. I saw a lot of usefulness in other languages.
I also considered that an ADA compiler must be a beast of sophistication and complexity. And at this time microcomputers were taking off and had, maybe 48 K of RAM. Or 64 K RAM. Later 128 K. etc.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by DannyB on Thursday February 28 2019, @06:08PM
Rust is one way to solve memory management problems.
GC is another way.
Rust costs more developer time but is much more efficient at runtime. It may not be suitable to build a large complex application. It may be great for microcontrollers, bootloaders, kernels, etc.
GC makes developers lives easy (which is a major cost center), but has some runtime costs. It is suitable to build large complex systems but wholly inappropriate for microcontrollers, bootloaders, kernels, etc.
Both Rust and GC approaches solve a problem: leaving attention to memory management in the hands of developers who may not be paying attention.
The vast, vast majority of historical bugs have been three simple memory management problems. Not freeing something (memory leak). Double free. Use after free. Use a language that makes these impossible and you've just removed the historical vast majority of problems. Strong typing with type problems detected at compile time also solves a huge category of problems and doesn't leave them undetected until runtime.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @08:07PM (1 child)
Rust is part of the problem. One - it is more googleware. Two - compare the compiled executable from C, C++, D and say.. Rust. Oh yes, the eternal "disk space is cheap and so is memory" argument. I disagree. You multiply the bloat and overhead times every application and process in sight, and soon you can bring down a new Ryzen 12 core to speeds we used to enjoy back when the 8088 was king.
(Score: 4, Informative) by Anonymous Coward on Thursday February 28 2019, @09:46PM
Rust is Mozilla's baby. You are thinking of Go.