Well, just so we're clear: I buy the idea of using Haskell or OCaml for static code analysis (in fact, one of the better known static analyzer tools, which operates on binary control flow graphs, is written in OCaml).
What I don't buy is the idea that the Haskell runtime actually improves SQL or HTML security. By all means, write a Haskell source analyzer. It will help. But a web app stack written in Haskell will presumably have the same problems (or lack thereof) that Rails does.
Mathematical reasoning, for what it's worth, doesn't have a great track record in systems security. ;)
I'm not sure how you can assert that math hasn't informed real security. Even disregarding crypto (which is pretty much the purest math you'll ever see in CS), the bulk of classic security design is based around systems like BLP and Biba, which are not only very strongly rooted in algebraic theory, but rely on formal proofs for assurance of their correctness.
At the end of the day, Haskell is just another programming language, with all the equivalent strength and limitations that provides. However, I do think that having a cultural expectation of strong type checking and reasoning about systems can only help security.
(To be fair, I should disclose that I do most of my day-to-day coding in Ruby. However, I'm trying to impose the discipline of at least mocking out security-sensitive systems in Haskell before implementing them in Ruby to force me to make my assumptions about safety and information flow explicit.)
I didn't say math hasn't informed real security; I said mathematical reasoning hasn't had a great track record in systems security. What doesn't seem to work is proving a "kernel" and then building application code on top of it; you have to analyze everything, formally, which is too expensive. So in the real world, a B-level secure Solaris kernel like Argus Systems sold still falls to code execution vulnerabilities in its after-market web server.
I'm not repudiating math. I'm just saying, systems security is messy.
You're right, of course, that systems security encompasses more than a formally-verified system can encompass. I say this having worked for a group that pitched the DoD and private vendors on "provably correct" systems that relied on commodity operating systems and compilers, so I really do get it, and know just how horribly limited formal methods are in the real world.
My point is, as I originally suggested, that any static analysis would likely be an improvement over what currently happens in the LAMP world. Most compiled languages have at least some tools available which developers can use to perform basic sanity checks -- the compiler itself being of course the first and most oft-overlooked of these. Dynamic language users lack even that basic safety net, which is the reason for my primary argument about the benefits of type safety and static analysis.
Basically, we're in furious agreement, and if you had caught me at a different time of day or mood, I could just as easily be standing on your side of the fence, arguing against someone who was trying to tell me that theory could solve all my security problems.
What I don't buy is the idea that the Haskell runtime actually improves SQL or HTML security. By all means, write a Haskell source analyzer. It will help. But a web app stack written in Haskell will presumably have the same problems (or lack thereof) that Rails does.
Mathematical reasoning, for what it's worth, doesn't have a great track record in systems security. ;)