6

I'm currently investigating Haskell as a platform for secure web development. I'm leaning toward happstack for the web framework part, but I'm also investigating yesod and snap.

My gut feeling says that the way the language works (especially the combination of full purity and a powerful static type system) makes it an excellent choice, security-wise, and the frameworks themselves claim to be exceptionally secure by removing typical security issues and pitfalls found in other stacks.

However, I haven't been able to find any resources to back up this assumption, so what I'm looking for is security reports, research papers, or even informal documents, about security aspects of the Haskell toolchain (particularly GHC and the GHC RTS) and the aforementioned web frameworks (happstack, snap, yesod, and possibly others that may be suitable).

Has anyone performed security audits on either of these? Is there any documented theoretical or practical proof of the robustness and soundness of these tools? Are there any high-profile websites or applications running on either of these frameworks, and what is their security record?

Gilles 'SO- stop being evil'
  • 51,955
  • 14
  • 122
  • 182
tdammers
  • 1,776
  • 9
  • 14

1 Answers1

2

This is a bit different from what you were asking for, but it might be of interest to you:

If you enjoy research papers, you might enjoy reading the following paper, which uses Haskell to provide certain security guarantees about web applications:

And see also the Ur/Web project, which is a functional language and associated system used for web programming. The functional language is used to provide strong security guarantees about the resulting web application and to help web developers avoid security problems in their web application. If you're looking for research papers, see the following academic papers (warning: they are heavy going):

You might find it easier to start with the Ur/Web tutorial instead of the latter two papers above.

D.W.
  • 99,525
  • 33
  • 275
  • 596