We Keep Coding

For building a highly secure website, can Ada be a better choice than Java/Python? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I am from network and OS operations and not from development background. I have some experience in writing Python and PHP code, and have studied software development in college.
As a hobby project (for now), I am planning on building a small website, which will have a component to store PII and sensitive information. I have to give security the first preference, and 2nd to performance (mainly of encryption/decryption).
My target is to have everything encrypted wherever possible, and also to have code which gives as little room as possible (by default) for exploitation. The site will be hosted on linux system.
The whole idea of the project is to learn a language in depth (as much as possible), and I feel I will be much more focused if I pick on some idea that I like. And that idea involves handling PII and other sensitive information. And, if the end product turns out good, then will open it up, hence wanting to make a good choice when choosing the language to write the code in.
I have done some reading, and saw people mentioning that for the backend c/c++ would be good, as it gives good performance and flexibility, but security is not easy. The next best choice would be Ada 2012, as that gives more security than C/C++, and also does not compromise on performance. Java can also provide security, but can be slightly slower. And then Python/Ruby.
I am thinking that Ada 2012 may be a good choice, but I don't want to get into a position wherein I learn it to some extent and then realize that I would have been better off with Python or Java or some other language.
I want to know from the experts answers to these 3 specific questions:
Which language will be ideal to develop this site, so that :
the best available encryption/decryption libraries can be used?
the features of the language can be leveraged to write inherently secure code?
Also, the more performance can be gained, the better?
Please advise. And also, if someone has done website (specially those handling PII) development using Ada, please share your experience.
I know each and every language has advantages and disadvantages, and the intent behind my query is to learn from the experience of those who have spent many years as website developers, and have used multiples languages and frameworks to develop websites handling sensitive data. If the mods think the question can start a good vs bad language war, I apologize as that is not the intent, and I will close the question.

The features of the language can be leveraged to write inherently secure code? Ada's type system supports writing code that validates data before usage. It's a feature of the language that helps with IT-security. But of course there is much more to IT-security than that. Configuring the firewalls, for example using systemd to specify how many processes of an executable is allowed to run simultaneously by the OS, how much memory each process is allowed to allocate, which directories the different applications have access to and permissions, and so on. I am sure there is lots I don't mention nor cover in this short response.
The best available encryption/decryption libraries can be used? The best library to my knowledge for cryptography is the Ada-Crypto-Library: https://github.com/cforler/Ada-Crypto-Library.
But what is asked for is making a safe web application. For encrypting the Secure Socket Layer (https) the Ada-Crypto-Library is not used in any http server implementation that I am aware of. If one wants to develop a web application in Ada there are three options that I see: AWS (Ada Web Server) from AdaCore and that is included in the Community Edition of the GNAT compiler (www.adacore.com), the http server implementation in Dmitry Kazakov's simple components (http://www.dmitry-kazakov.de/ada/components.htm) or GNOGA (www.gnoga.com) that is implemented on top of Dmitry Kazakov's Simple Componenets. Oh wait, Matreshka may also be used but I haven't used it yet so I cannot comment (http://forge.ada-ru.org/matreshka).
According to the documentation of AWS it can be compiled to use either OpenSSL, LibreSSL or GNUTLS (http://docs.adacore.com/live/wave/aws/html/aws_ug/building_aws.html#requirements).
With Simple Components and GNOGA the Secure Socket Layer implementation is provided by GNUTLS.
Another option for providing SSL to a web application is to use the Apache web server as a proxy that handles the encryption (I have never done such a setup, only heard of the existence of this possibility).
Also, the more performance can be gained, the better? I like performance and how to get the best performance is a vast subject. On the whole I think Ada is good programming language choice for those who like performance. Of the top of my head, to maximise performance using Ada one should:
1) When using the standard containers and using the GNAT compiler one may use "pragma Suppress (Tampering_Checks);" to increase the performance of ones application. Not everyone agrees with this view to have one debug build with the tampering checks turned on and then one release build with the checks off since one trades safety for performance, but it has a noticable impact on performance. An alternative to the standard containers one may use the Ada-Trait based containers (https://github.com/AdaCore/ada-traits-containers). They may be the World's most well designed containers for the Ada programming language.
2) Avoid usage of Unbounded_String in the standard library. One may use instead the XString unbounded string implementation in the GNATColl library and may give a 10x performance boost. Also consider allocating ordinary Strings inside memory pools (or subpools) if possible (I've done that in the Xml_Parser application in the repository: https://github.com/joakim-strandberg/wayland_ada_binding)
EDIT: I deliberately avoid arguing whether or not Ada, Java or Python is better and instead focus on, if you would do it in Ada, what would you need to do and consider.

short answer - No,such a system is never possible. PII is less sensitive than a nuclear program.
Long answer --
1. the best available encryption/decryption libraries can be used?
-As your question mentions encryption comes with decryption, the SHA-1 is broken now check alternatives (https://www.forbes.com/sites/forbestechcouncil/2017/04/13/sha-1-encryption-has-been-broken-now-what/#35e33f317ee7) and if you want to dig deep it is not about libraries it is about the algorithm used for the job.Any encryption can be broken sooner or later.
2. The features of the language can be leveraged to write inherently secure code?
There is nothing as secure language or features of language to save you there are few frameworks based on some security princiapls;just follow a set of practices to make code secure.
You follow them you would be safe if you don't there could be trouble and there are around 5000 free tools (unofficial number)that can be run on a website to break it.Are you willing to test your system against so many number of tools ?
3.Also, the more performance can be gained, the better?
-The stronger the encryption and security the more performance you lose always a trade off so choose your treadmill.
Security is a very vague and broad term and everyone gets hacked even the likes of yahoo and Symantec.(https://gizmodo.com/researchers-made-a-clever-tool-to-detect-hacks-companie-1821293404)
still not convinced here is the state of the art -https://en.wikipedia.org/wiki/Stuxnet but even this is 20 years old and just 500-kilobyte of threat.
My 2 cents - As we deal in 0 and 1 please define clear goals in terms of security and performance the make a poc(proof of concept) and run some benchmarks test.

How to service HTTP requests on web server

Alright. I know this may draw some heat as "not good question"/etc., but I haven't found anywhere describing the process in particular (all the resources I've found describe the client-side requesting, not the server-side responses).
I'm going to be working on writing an iOS app in the next coming months necessitating the use of a web server. There are many resources on how to set these up, get them a static IP, etc. but I haven't found any clear ones (and by clear, I mean intelligible by someone not already experienced in it) on how to write a program for such a server that actually responds to the HTTP or client request.
Suppose I have a dummy app and web server combo where the app posts an HTTP request for the time. How would I write an app for the server to bounce the time back when the request comes in? Ideally, I'd like to write this in Objective-C as it's the language I've had the most experience in (whether forced or by choice).
Again, I apologize if it isn't a good question or very clear - I just haven't found any resources that are able to give me much of a place to start.

Your question could probably be described as 'too broad', but I will give it a shot anyway. Disclaimer: I haven't written much server-side code but I have been programming in objc for years now.
The reason you haven't found (m)any resources to help you do what you want to do is because Objective-C is rarely used for writing server-side code. Exactly why that is the case is no doubt a long story, but essentially the answer is because many of the dominant technologies out there (PHP, Python, C#, Java, to name only the prevailing languages) have feaures and associated frameworks that are better suited for that purpose.
In other words, although I can doubltless be done, you are probably better off using something other than Objective-C for the task because:
You will have many more resources available to help you get your job done.
You will have a much larger community that you can query for assistance when (not if) you encounter an obstacle.
You will not have to do many things the hard way because there will be existing tools to make it easier.

I would also recommend you to use PHP as the server-side programming language.
Some mounths ago I was in the same situation as you. We have planned to write a app (Android) which loads some data from a webserver. I've never programmed server-side code till the beginning of the project. So it was quiet interessting and new for me.
We have choosen PHP as the server-side language.
All I can say is, that it was really easy to learn and write your first scripts to get a response to a HTTP-Request. Also the usage of MySQL as the database is really easy and it works fine with PHP.
PHP is a standard. You can find a huge amount of documentation and examples. And of course tutorials and good books ... ;)

fastest scripting programming language? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I have a web application project where performances count more
than anything else, and I have the choice of the technologies
to use.
The language shootout benchmarks that are not really related
to web applications.
What would you recommand as the best suitable candidates?
Thanks!
A friend suggested the gwan server on IRC. Looks to be what I
was searching but I never heard about it before. Anybody with
prior experience on this package? Ease of use, reliability?
Before I leave Apache, I would like to get your thoughts.

G-WAN is a neat webserver: it's based around the "C scripts" concept:
A C script is simply C source-code that is compiled by the webserver and then loaded in protected memory. It will get called by the webserver when a request to the servlet is made. The servlet, as it's compiled by a C compiler, is "as fast" as normally compiling a C program. However, the advantage of C scripts to, for instance, CGI or FastCGI, is that the compiled program is in the same memory space as the webserver. This reduces the overhead of communication (either by creating a process, in the case of CGI, for each request, or the socket for FastCGI).
The webserver is using the select/poll technique: non-blocking I/O. However, there's a neat thing to it. Every program can be written as if it was using blocking I/O. As the webserver itself compiles each C script, it can transform the program to use non-blocking I/O. As of this, it can link itself to third-party libraries (like database access) and still make use of the non-blocking I/O nature: no thread/process context switching.
The tools provided for programming the C scripts are, for instance, caching and safe buffers. The next (not yet released as of writing this post) version will also include a Key-Value store.
Performance-wise: there are some benchmarks available showing it's outperforming any other webserver, however I don't trust these. Try writing a small CPU intensive program in C and in, for instance, PHP. Let the C script run on G-WAN and the PHP script on Apache, and do a benchmark yourself.
There is more to it, but that's out of scope for this question.
Some downsides of G-WAN is that it is developed by only one person. There is a forum, however, where you can ask questions.
Ease of use is limited by your skill in C. The API provided, however, is simple. It still has some inconsistencies and (in my opinion) ugly parts, but that's not a problem. A more serious problem is that each version is not guaranteed to be backwards-compatible and you may have to rewrite.
If you want to be safe: make use of C's platform independentness: allow your code to be compiled to (Fast)CGI programs and also to be used by G-WAN. Might G-WAN fail, you can always fallback to Apache's (Fast)CGI (see http://www.fastcgi.com/ for API's).

If performance counts more than anything else, don't use a scripting language. Especially since you have full control over the technology stack. Compiled languages will perform better for CPU intensive operations.

LuaJit (Lua) is the fastest scripting language with JIT technology..
if you want the fastest for server side web application (that not always scripting), that would be g-wan.. you can use c, c++, java..
ASP.NET is also fast enough for almost anything, but quite pricey
php with hiphop would be easiest to learn and also fast enough..
it depends on how many request do you need.. and how fast you learn the language ^^
don't forget to cache static data (using memcache or nosql)

Begin by identifying if your application performance really depends on the language or on some other factor (like database requests for instance). Ability to cache results can also be a very important factor.
For performance the language used come quite far in the list of important points to check and the use case also influence which language is better. For example if you have many regex to check you should check regex support in the candidate language, etc...
For image processing, the most important point will probably be the underlying image library you use, usually written in C. I have the case of ImageMagick in mind, because I'm currently using it. It's available for as a library for most languages and the scripting language layer is only necessary to call functions of the library and used language at that level won't change much (but caching precomputed result images could change performance by a large margin). This use case would probably be similar for calling a cryptographic lib.
If performance is really such an issue, for image processing you could also consider using a lib that works with GPU accelerator cards (libs with cuda or openGPU support).

Javascript is constantly being scrutinized and optimized for use on mobile devices, so on actual full-size servers it runs EXTREMELY fast. Check out Node.JS, a project for implementing server side javascript to serve webpages: http://nodejs.org/

Well, if you use a database with a large volume of data you will spend more time there than running a php or asp or (insert other flavours here) script
If you can you should build a mockup of your app (or at least a segment of the more database or processor-intensive parts) and try to benchmark those

Update: Seem like Java 7 using NIO.2 has manage to outperform Gwan using C but almost 2x in timing, it is incredible but you can a few a simple tests.
The only downside of Java is not able to integrate shared libraries built on C. I'm ready to challenge someone to prove me wrong that Java NIO.2 is slower than C.

I recommend the Java programming language; it's not a scripting language, but it's probably the fastest programming language that can be used for programming web applications. I also recommend using a framework like Spring for a better programming experience (versus "raw" Java Servlet Programming).

The fasted scripting Language is ASP followed by PHP, but if you want applications that scale to unlimited speeds, use C++ or Java.
Google Search uses C++
Gmail uses Java
YouTube = Python
Twiiter used to use Ruby now they shifted to Java
Facebook = PHP at front end and some java at the backend
But i recommend PHP at the front end and C++ at the back-end

When is it good to use embedded script language like Lua

I'm playing WoW for about 2 years and I was quite curious about Lua which is used to write addons. Since what I've read so far about Lua was "fast", "light" and "this is great", I was wondering how and when to use it.
What is the typical situation where you will need to embed a script language like Lua in a system ?

When you need end users to be able to define/change the system without requiring the system to rewritten. It's used in games to allow extensions or to allow the main game engine to remain unchanged, while allow content to be changed.

Embedded scripting languages work well for storing configuration information as well. Last I checked, the Mozilla family all use JavaScript for their config information.
Next up, they are great for developing plugins. You can create a custom API to expose to the plugin developers, and the plugin developers gain a lot of freedom from having an entire language to work with.
Another is when flat files aren't expressive enough. If you want to write data driven apps where behavior is parameterized, you'll get really tired of long strings of conditionals testing for config combinations. When this happens, you're better off writing the rules AND their evaluation into your config.
This topic gets some coverage in the book Pragramtic Programmer.

Lua is:
Lightweight
Easy to integrate, even in an asynchronized environment such as a game
Easy to learn for non-programmer staff such as integrators, designers and artists
Since games usually require all those qualities, Lua is mostly used there. Other sitation could be any application that needs some scripting functionality, but developers often opt for a little more heavy weight solution such as .Net or python.

In addition to the scripting and configurability cases mentioned, I would simply state that Lua+C (or Lua+C++) is a perfect match for any software development. It allows one to make an engine/usage interface where engine is done in C/C++ and the behaviour or customization done in Lua.
OS X Cocoa has Objective-C (C and Smalltalk amalgam, where language changes by the line). I find Lua+C similar, only the language changes by a source file, which to me is a better abstraction.
The reasons why you would not want to use Lua are also noteworthy. Because it hardly has a good debugger. Then again, people hardly seem to need one either. :)

a scripting language like Lua can also be used if you have to change code (with immediate effect) while the application is running. one may not see this in wow, because as far as i remember the code is loaded at the start (and not rechecked and reloaded while running).
but think of another example: webserver and scripting language - (thankfully) you can change your php code without having to recompile apache or restart apache.
steve yegge did that thing for his own mmorpg engine powering wyvern, using jython or rhino and javascript (can't remember). he wrote the core engine in java, but the program logic in python/javascript.
the effect of this is:
he doesn't have to restart the core engine when changing the scripts, because that would disconnect all the players
he can let others do the simpler programming like defining new items and monsters without exposing all the critical code to them
sandboxing: if an error happens inside the script, you may be able to handle it gracefully without endangering the surrounding application

Rapid development for application with real-time constraints. Computer games are one of these ;-)

It's a valid solution if you want to allow third parties to develop plug-ins or mods for your software.
You could implement an API in whatever language you are using, but a script language like LUA tends to be more simple and accessible for casual developers.

In addition to all the excellent reasons mentioned by others, Embedding Lua in C is very helpful when you need to manipulate text, work with files, or just need a higher level language. Lua has lots of nifty feature (Tables, functions are first class values, lots of other good stuff). Also, while lua isn't as fast as C or C++, it's pretty quick for an interpreted language.

First impressions of the Fantom programming language? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Has anyone here given the Fantom programming language a whirl? (pun intended).
My first impression:
I like the ability to have the code run on either the .NET or Java VM.
The syntax is nice and clean and does not try anything fancy.
I have a belief that "the library is the language" and the developers of Fan believe that their USP is their APIs:
But getting a language to run on both Java and .NET is the easy part - in fact there are many solutions to this problem. The hard part is getting portable APIs. Fan provides a set of APIs which abstract away the Java and .NET APIs. We actually consider this one of Fan's primary benefits, because it gives us a chance to develop a suite of system APIs that are elegant and easy to use compared to the Java and .NET counter parts.
Any other thoughts, first impressions, pros and cons?

It looks very inspired by Ruby. It says that it's RESTful but I don't see how exactly. Compare with boo, which is more mature yet similar in many ways (its syntax is Python inspired, though).
The design decisions to keep generics and namespaces very limited are questionable.

I think their explanation sums it up:
"The primary reason we created Fan is
to write software that can seamlessly
run on both the Java VM and the .NET
CLR. The reality is that many software
organizations are committed to one or
the other of these platforms."
It doesn't look better than all other non-JVM/.NET languages. In the absence of any information about them (their blog is just an error page), I see no reason why they would necessarily get this righter than others. Every language starts out fairly elegant for the set of things it was designed for (though I see some awkwardness in the little Fan code I looked at just now) -- the real question is how well it scales to completely new things, and we simply don't know that yet.
But if your organization has a rule that "everything must run on our VM", then it may be an acceptable compromise for you.
You're giving up an awful lot just for VM independence. For example, yours is the first Fan question here on SO -- a couple orders of magnitude fewer than Lisp.
For what problem is Fan the best solution? Python and Ruby can already run on both VMs (or neither), have big communities and big libraries, and seem to be about the same level of abstraction, but are far more mature.

I have never heard of Fan until a couple of weeks ago. From the web site, it is about one year old so still pretty young and unproven. There are a couple of interesting points however: First the language is tackling the problem of concurrency by providing an actor model (similar to erlang) and by supporting immutable objects. Second, the object follows the example of Scala with type inference. Type inference allows the programmer to omit type declarations but have it computed by the compiler providing the advantage of short and cleaner code as in a dynamically type language while preserving the efficiency of a statically type language. And last, it seems like a very fast language, nearly as fast as Java and really close or beating the second fastest language on the JM: scala. Benchmark showing the performance can be found at http://www.slideshare.net/michael.galpin/performance-comparisons-of-dynamic-languages-on-the-java-virtual-machine?type=powerpoint.

This is very interesting.
Java (or C#) was created in order to eliminate Platform dependency by creating a JVM (or CLR) that will compile the code into a specific machine code at run time.
Now , There is a languege which is Virtual Machine independent? umm .... what the hell?!?!
Again , this is a very interesting topic , That might be the future...:) going to one universal single languege

I think it looks like a great language feature-wise, but I'm not sure how useful it is. I don't think it is all that useful to target .NET and JVM. Java is already cross-platform, and .NET is too, with Mono. By targeting two VMs, you have to use only the APIs that are available on both. You can't use any of the great native APIs that are available for Java and .NET. I can't imagine that their API is anywhere near as complete as either Java's of .NET's.