What is the relationship between OOP and code security?

Asked

Viewed 150 times

9

Is there any foundation to think that an object-oriented programming style is safer than the structural one?

1 answer

13


I’ll answer the part that can be answered here. Listing the forms of attack, something that’s mutable, doesn’t lead anywhere and this kind of response isn’t part of the philosophy of website, besides being very broad, without context. Besides this is mixing subject, terms, then it would be difficult to answer everything. Here are some good sources on security, just look. To have real understanding you have to study the subject deeply.

There is no direct relationship between the paradigm of programming and security. The security of access to memory and possibly data can influence more directly. How each program and the quality of the programmers directly influences.

I haven’t even seen a study that shows there’s an indirect relationship. Some people will say that OOP has made the code more organized, others will say that it has made the code more complex. There may be some relationship, but it is very fragile and difficult to measure objectively.

Taking the case of PHP the improvement in security that has occurred over time has more to do with bugs, better libraries, possibly better information than the introduction of OOP. There is no feature included in the language because of object orientation that helped security be better. It was never objective of the paradigm to do this.

Contract orientation can influence indirectly since this "paradigm" seeks more reliable codes. Even so it is indirect and very little. Security is depends on many factors and no language or paradigm can help much. What can occur is to give more facilities to not make certain kinds of mistakes.

My experience is that those who programmed well and knew how to make the code safe continued doing it in the same way as object-oriented programming, or even continued with imperative programming. Who didn’t know what they were doing and didn’t learn anything, is making more confused and insecure codes with object orientation or is the same thing. If he’s better it’s because he’s better informed.

In some cases OOP is used to give more flexibility and this can open more doors of attacks. Depending on what you do, indirectly OOP can worsen security. But it’s a huge can and yet it’s indirect. It’s just that the paradigm made it easier to do something that was feared in another paradigm. I found a study that goes this way proposing solutions. But almost no one knows these things and make the mistakes.

To conclude, there is no cake recipe for anything in programming other than very simple and low demand things. In safety there is even less. You have to understand all the fundamentals of computing in a profound way, gain experience, be very attentive and disciplined, and of course, know what to do in each situation. You usually hire a security expert when it’s really important. Otherwise, do the best you can and sort things out as needed.

  • 2

    It’s a belief from the '90s that OOP solves any problem :)

  • @epx I talk a little bit about this http://answall.com/questions/80228/algoritmos-em-c-poo/80233#comment162891_80233 people learn on automatic. It’s unbelievable how people spend so much of their lives following something like religion and not trying to understand why they use it. And many courses, books and obviously other "more experienced" programmers (in quantity, not in quality) contribute to perpetuating this.

  • @bigown I read your reply that I find interesting... but I do not understand your statement: "In some cases OOP is used to give more flexibility and this can open more doors of attacks."

  • @chambelix I’m no security expert so I don’t know everything that can happen. But I know the basics to say that if you use certain patterns, you expose yourself more. I didn’t say that because of the OOP you open the doors, it would be contradictory to everything else I wrote. I just said that OOP makes it easier to give flexibility to the application, something that before maybe the person didn’t do because he didn’t know how to do it (this is in the answer). Certain flexibilities may not be well thought out and open these doors. Do you see how it’s indirect? I’ll give you an example:

  • Imagine allowing a class to be inherited and some algorithms to work with the child classes. Someone else does not get what needs to be done in the derived class and opens a door of exploration that he did not have in the base class. Okay, you have an insecurity because you used OOP. But it’s not the OOP’s fault, it’s the programmer’s fault. But if I hadn’t done this, maybe I wouldn’t have given it a chance.

  • Of course, the application is different, it doesn’t have a feature. And it is also clear that the problem could have happened if the feature had been placed in an imperative encoded application. So it’s not OOP that caused the problem.

  • @bigown understand your point of view... but it seems that you are then confirming a problem of inheritance problems... understand! However this does not infer anything with attacks even in less security, in my clear view. Regards for the answer.

  • I recommend using OO more for the sake of increasing productivity, and doing unit testing, so you get more security in your codes, or fewer security holes. Yet nothing is safe enough to be unbreakable. It may take longer, but one day someone might invade, it will depend on how much someone is worth dedicating their time to it, and the importance of it.

  • If your system is not of the type gmail.com, I believe that no one will waste their precious time finding security loopholes in your system unless it already demonstrates basic flaws like sql Injection, or something like...

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.