Writing in C introduces whole families of vulnerability that aren't a problem in most other languages. Format string vulnerabilities and buffer overflows are the two that immediately come to mind, and these will be added to the normal host of web application security considerations like SQLI, CSRF, XSS, etc.
What followed the phase in which you were writing everything in C?
I've gone back to writing most things in C. Including web apps. If you're a crappy programmer, the "new hip" languages might protect you from some classes of issues, but the idea that you're "safer" is deeply, deeply misguided.
I remember words like "hacker" and "1337" being used to refer to people who did reverse engineering, participated in the demoscene or just defaced websites for fun. My, how the tables have turned.
Edit: Added "safer", which was my original point here that I forgot to include.
Psst: There are very nice improvements coming to that project …
Disclaimer: I'm the author.
I had a laugh, mixing C and security on the same sentence.
Digression comment: Has anyone used GWAN? It looks awesome, but the website hints at some eccentricity. http://gwan.com/
looks like a cool idea but i feel like hardware-optimization stuff will be wrapped into server OS eventually if its meant to be (I'm sure it already is in some ways). If you want to be cutting edge tho give it a shot?
eheh so impressed with "eccentric" tho. it's funny i love Clojure & i feel like its a bunch of "eccentric" vibing trying to tame itself into something that looks like trendy web sites (Rails community kinda pages, though in Rails it seems there is a flashy site for practically every popular gem whereas in Clojure the biggest thought they're willing to formulate is some real minimal framework)
http://devopstom.com/blogish/gwan-snakeoil-beware/
Not very positive.
Previous discussion on HN:
https://news.ycombinator.com/item?id=4109698
Contains this little comment by me:
https://news.ycombinator.com/item?id=4109804
> From the site (which seems to disallow copy-paste):
>> The next time someone feels the need to publicly call G-WAN's (1-page) license "weird" or "insane", look at what they sell and who they get their revenues from. Unlike for G-WAN, what they offer is not free for all.
> They have redefined the word 'free' into a fine mist if they expect you to believe Apache and nginx are not free. They're doing something I've seen done before; oddly, it was mainly being done by Usenet trolls.
Why should handlers and actions be separated? Because they're different things! This is already standard in web architectures: the router is a collection of handlers and the functions that the router calls out to are actions. I like that actions are separated out from the monolithic "controller".
"The examples are deployable via fastcgi."
A more hand-holdey approach may be appreciated.
