C# is probably not the best choice for a security application?

Question

I have stumbled in this phrase in the web:

"C# is probably not the best choice for a system-level application like this. I believe plain C++ is much better here as you will need to do lots of low-level API calls."

I was searching about security programs made using c#, like firewal, parental control, anti-virus, anti-spyware, etc.

So, is true that C# is probably not the best choice for a security application?

[edit]
I was researching about c# security programs, and I found 2 programs:
1) Keepass (http://keepass.info/compare.html) an impressive password manager that is migrating from c++ to c# !!!
2) Home Again (http://www.codeplex.com/totty530) is a packet sniffer made using c#
[/edit]

Answer 1

“System-level” != “security”. Also, you can write insecure programs in any language.

Answer 2

Things like firewalls often need hooks into kernel-level facilities which aren't (trivially) exposed by managed runtimes like .NET. You can jump through hoops to use the C# language to do this sort of thing, but then, well, you'd be jumping through hoops.

Answer 3

If you are writing a firewall or anti-virus software as in your example, it is easier to write it in C++ since it can gain access to things that C# was not made for. C# is more secure than C++ for writing applications though since it is harder to mess things up.

Answer 4

C# implies that you are using the .Net framework. That adds a lot of code to your application that you have very little control over. If there is a security risk in that version of .Net, it's now in your app.

The same may be true for any additional frameworks you employ with C++, but it is also possible to write C++ code without any additional frameworks.

Neither way defends against you adding insecure code though.

Answer 5

Maybe you should have a look at C++/CLI. It will offer the conveniences of .NET, yet provide the low level access you may need with C++.

Answer 6

Well, if you work in security, you probably want a gun. C++ is a better gun than C#, but beware - it is much easier to shoot yourself in the foot with C++.

Answer 7

Agree. Many of the functions that you'd want to call would be functions that you'd have to P/Invoke from C#. Callbacks from the OS to your C# program aren't pretty either, with stuff like System.Runtime.InteropServices.CallingConvention.

Now, for stuff like the aforementioned Password Managers, this might not matter much. That's really just a fancy database, with smart import/export/storage/transformation features. Still, it would be useful if they could interact with other programs. You simply cannot inject a C# DLL in random processes.