[rwos]

While static analysis can be quite a powerful tool, it doesn't magically fix everything. Some of the typical web-application vulnerabilities are shell/SQL injections, XSS, and CSRF. Also, passwords saved in a insufficiently hashed form, or even in plain-text. All of those are bugs on the architecture level, or "business logic bugs".

[tikhonj]

You can certainly prevent shell/SQL injection very easily with a good type system. Yesod, one of the Haskell web frameworks, certainly does this. Basically, you just give strings gotten from the user a different type than normal strings so that you can't use them without sanitizing or explicitly circumventing the sanitizer.

I don't know enough about web development to tell you if you can prevent XSS or CSRF, but I wouldn't be surprised if you could.

The important insight is that a good type system can fairly easily do much more than most people realize. Certainly far more than you can do with languages like Java!

[gtani]

Languages with good type systems (haskell, scala, ocaml) can certainly address these. I haven't been following liftweb (scala) closely but I give the author, DPP, credibility, when he says that he's addressed the first three.

http://seventhings.liftweb.net/security

[wvs]

http://www.impredicative.com/ur/ has a very strong type system that claims to statically prevent any kind of code injection outright.