Skip to content ↓ | Skip to navigation ↓

ClojureSecurityHere in Portland, Oregon, we just completed another OSCON conference, where functional languages received even more attention than previous years.

As our system architect, I try to keep an eye on these trends, particularly if they can help our Tripwire engineers become more effective coders and most importantly, more secure coders.

I found the following papers and article have some interesting things to say about secure programming with functional languages:

At Tripwire, we have a variety of technologies that make up the foundation of our products. Some of which is tucked inside our appliances, some of which is obvious when running our products. For example, Tripwire Log Center is founded on Microsoft’s .Net stack (mostly C#) and Tripwire Enterprise uses JVM languages extensively.

Both have some very interesting functional options: .Net has F# and the JVM offers Scala and Clojure. Clojure has been a personal favorite of mine and one we are carefully considering here at Tripwire (but that’s another story for another time).

Cigital Principal Aaron Bedra put together a great presentation on the security of Clojure web applications at the most recent Clojure/West event, which sparked some great discussion on yCombinator news.

Mr. Bedra speaks to the security (or lack thereof) in popular Clojure libraries used for building websites. These days, it’s fairly easy to leverage other libraries using Clojure’s Leiningen build tool and the Clojars repository.

However, your system is only as good as its constituent parts. The same goes for the security of your network, which is only as good as the systems on that network.

Another important aspect of security in languages is, as Chad Perrin says in his article:

“Among many of the most dangerous bugs in a typical imperative program are those that arise because, while we write code, we must be careful to reconcile and account for all the state managed by our programs — and sometimes we fail.”

Clojure, as well as other functional style languages, help simplify managing program state by (ironically) raising data into a first-class citizen by separating it from functions. In doing so, I believe it should enable creating more secure systems.

By the way, isn’t it also ironic that the object-oriented Java VM is the host to many of these functional languages? Are you planning on trying out functional programming? And lastly, does security make “the cut” when evaluating a new language?

Let us know what you think in the comments below.



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].