The Top Programming Languages That Spawn the Most Security Bugs (softpedia.com) 241
An anonymous reader writes: Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.
normalized? (Score:5, Insightful)
The Internet is a lot bigger now, so you'd expect more discovered PHP bugs than ColdFusion bugs.
Coming up next, there are more operating systems written in C than Fortran, so you will find more root privilege escalations in C than Fortran.
Self-fulfilling prophecy? (Score:4, Insightful)
Re:Self-fulfilling prophecy? (Score:5, Insightful)
There is more to it than simply being popular. Consider a case where you want to output data that the user posted in a form. The obvious way to do it in PHP is this:
Hi <?php echo $_POST['name']; ?>.
In fact up until a few years back, the php tutorial had code like this [archive.org].
This is vulnerable code, the values posted may contain javascript, and the browser would execute it happily. If you are displaying content that other people posted, then a malicious user can easily exploit this code to hijack other users sessions. This is known as XSS (Cross site scripting), and it is one of the most common vulnerabilities in PHP code.
The secure way is this:
Hi <?php echo htmlspecialchars($_POST['name']); ?>.
A good language should be designed in such a way that the simple way is the safe way, and make you be more explicit if you want something else. For example the php expression blocks should do html escaping, and when you don't want escaping you would use a more verbose command that would make it clear that you are outputting a trusted value. In the name of convenience PHP is plagued by questionable design decisions like this. register_globals was on by default up until php 4.2, it is incredibly easy to write sql injection vulnerabilities in php if you are not paying attention, etc.
Re: (Score:2)
For example the php expression blocks should do html escaping, and when you don't want escaping you would use a more verbose command that would make it clear that you are outputting a trusted value.
Which would make it that much harder to use PHP to output a Content-type other than text/html or types matching application/*+xml.
Re: (Score:2)
What would be insanely easier is making a command that let you specify it directly rather than having 2 commands
I wonder how hard that would be to implement in terms of PHP output buffering [php.net].
Re: (Score:2)
The secure way is this:
Hi <?php echo htmlspecialchars($_POST['name']); ?>.
A good language should be designed in such a way that the simple way is the safe way, and make you be more explicit if you want something else.
Could you give that example in C, C is normally considered a good language.
Re: (Score:2)
out << "Hi" << HTML::Text{post['name']};
Re: (Score:2)
Re: (Score:2)
There's no actual security issue there. How can one client POST something and the response from that request go to a completely different client? They can't. And if the user's client machine is compromised to inject javascript in a post, well, um, what is the point of sending it to the server to have it send it straight back?
Re:Self-fulfilling prophecy? (Score:4)
While I strongly agree with the argument that PHP's large target footprint has something to do with its reputation for insecurity, I can't help but wonder whether the architectural similarities of typical PHP, ColdFusion and ASP.NET have something to do with the tendencies of some programmers to produce vulnerable code with them. If you squint, they all have a strong family resemblance to each other: you mix language-specific procedural markup with HTML, which is processed on a server and returned as plain HTML to the browser.
Note that I'm not saying PHP is inherently insecure, but I can think of three reasons why this approach might tend to encourage insecure practices. The first is the way programmers, particularly novice programmers, tend to be introduced to such systems. This is a pet peeve of mine; instructors try to sell students on how easy it is to do things so they show students the simplest way of producing a particular result -- not the way that a proficient programmer should produce that result. The message is "look at how easy it is to make a dynamic website with X!" The details of what you need to do to do things like sanitizing input really clutter that message up; especially in the case of these template-y languages where one of the chief selling points is that they're incremental on top of the HTML you need to know anyway.
It's interesting to contrast something like these systems to JSP, which can be used in exactly the same way except that programmers are taught early on that this "model 1" approach is for wimps who can't handle MVC. Java web apps tend to be grossly over-architected; PHP web apps -- at least the ones I've looked at -- tend to be under-architected, with lots of code replicated across many files which should be centralized in some kind of library. That's the second reason I can think why PHP apps might tend to be insecure: under-designed systems mean you have more places where you have to implement some design policy, or where a "temporary" bit of code that does something like build a SQL query from unchecked user input might slip through into production code. It's not the fault of the language per se; it's programmers reproducing the simplest way they were taught to do something over and over again rather than taking the time to refactor their work so that maintaining and securing it is a manageable task.
The third reason I can think of is that these kinds of systems are so easy for someone who doesn't know what he's doing to tweak in the field. I've done it myself; if you have a basic knowledge of HTML, have ever used a programming language, and know how to use "grep" you can find the bit of PHP that produces a particular output and tweak it to your liking without being a PHP programmer. That means that code that ships secure might not remain so in the field.
Anyhow, I don't know enough about PHP per se to say whether it is inherently insecure in some way, but what I've seen leads me to think that some of the problems at least may be an unwanted side effect of ease of use and learning. There's a world of difference between a PHP system generated by a skilled and conscientious programmer and someone who knows a little HTML and picks up a little PHP to add to that. Fortunately this kind of hacked-up HTML website is looking increasingly archaic these days; if you look at RESTful PHP code it looks pretty much like RESTful interfaces done in any other scripting language. It doesn't have the sprawl I tend to associate with PHP web apps.
Re: (Score:2)
Note that I'm not saying PHP is inherently insecure, but I can think of three reasons why this approach might tend to encourage insecure practices. The first is the way programmers, particularly novice programmers, tend to be introduced to such systems. This is a pet peeve of mine; instructors try to sell students on how easy it is to do things
I can't speak for anyone else, but I can say that I got into developing webpages way before I knew anything about "proper" programming practice because it was easy. I was banging out CGI scripts in bourne script before I even knew how to do a good job of it, let alone why you wouldn't want to do it. The server wound up getting exploited through a remote hole in Apache long before any of my scripts could be a problem. Besides, they all ran as a relatively unprivileged user. Now I just use a CMS, and keep up
Re: (Score:2)
The server wound up getting exploited through a remote hole in Apache long before any of my scripts could be a problem. Besides, they all ran as a relatively unprivileged user.
Well, in the early days that would likely have been the case; the vulnerabilities in the Apache server would have presented a better-known target than your code, people weren't in the habit of keeping up with security updates, and automated tools for attacking website specific code didn't exist yet. Today if you did that then flaws in your code would be much more likely to be the cause.
I'm sure you know that the fact that your code runs unprivileged doesn't really protect you or your users, especially thes
Re: (Score:2)
That argument doesn't work when the measurement is in bugs per megabyte.
This is bug density, not total bugs.
He said apparent bugs, not total bugs or even bug density. His contention was the most used languages will have the most people identifying security holes. Similar to how the most used operating systems will have the most people writing viruses for them. Just because one application has the most identified bugs doesn't mean another application doesn't have far more that are simply not identified.
I don't agree with the argument, since I think there is a threshold where a language is popular enough to have pe
Re: (Score:2)
Well, that would be true, except the bug density was generated from static analysis, not people looking for bugs.
Re: (Score:2)
Apps, it had to be apps (Score:2, Insightful)
That's the bigger problem than the limits of an individual language. The mindset of gluing together little bits of existent code to add serious functionality to what was originally intended as a static information display. Odds are the budget for these projects is tiny and the testing budget is zero. That last detail is what really matters, no dedicated testing, no time allotted for testing beyond 'does it work when the boss tries.'
ASP, ColdFusion and PHP are only the top three because (despite two being
Re: (Score:2)
If fully agree. The problem is incompetent and semi-competent people "quickly kludging new functionality into fairly simple web pages".
Re: (Score:3)
Personally, I wouldn't consider functional bugs to bugs in the language, unless there is no way to accomplish a task without generating exploitable bugs.
Don't blame the result on the language, unless the language itself is the problem. SQL injections are not a programming language issue. It is a problem with the coders.
Bug for bug compat w/o conspicuous deprecation (Score:3)
Personally, I wouldn't consider functional bugs to bugs in the language, unless there is no way to accomplish a task without generating exploitable bugs.
The standard library has bugs. For example, one bug in PHP is the existence of mysql_escape_string, whose behavior is unlikely to match the quoting conventions set on the current connection except by coincidence. These bugs are kept for the sake of backward compatibility, even if they're exploitable by using an incorrect quoting convention for SQL injection.
But it is a bug to fail to discourage new code from using deprecated library functionality. Failure to conspicuously mark deprecated functionality as su
Re: (Score:2)
Nothing more can be done. Stupid people will do stupid things, even when warned repeatedly. Excessive warnings may even be counter-productive, because all those Dunning-Kruger sufferers out there will assume that this large and well-visible warning most certainly is a warning only for stupid people and hence cannot apply to _them_.
One compile-time warning (for interpreted languages: a developer flag or the like), one warning in the documentation and that is enough. More warnings will not get more people to
Re: (Score:2)
The big pink box at the top of the page marking it as deprecated
Good point
plus the warnings in the error log when running in dev mode
Can "dev mode" and production mode be used on the same server? And/or can logs from dev mode or production mode be sent to different log files for different shared hosting customers? If not, then it isn't suitable for use with shared hosting. In addition, a lot of developers may not be running exactly the same version of PHP, and a developer may conflate "dev mode" behaviors with differences between the version of PHP for Windows running on his dev box and the version of PHP for Linux running on t
Re: (Score:2)
You also don't need to make "server-wide" enforced settings for PHP. Each server-client can have custom PHP.ini's.
Re: (Score:3)
Dammit...I've been defending ColdFusion on Slashdot for about 12 years (see username). The last 5 years or so have been very quiet as people just assumed CF was gone. Or more to the point, the 'my language is better than your language' people had moved on.
I've been writing in CF for about 17 years. Yes, even today I use it...and I use it all day long. This is not just "quickly kludging new functionality into fairly simple web pages", it's a matter of creating entire line of business apps.
Guess what? Pe
Re: (Score:3)
"What's my point? I think that too many people in tech are enamored with the new/shiny and jump from technology to technology without spending enough time on the QUALITY of what they are creating"
There are those people who just like to work on blue-sky projects where everything is new and there is no "legacy code". So they are the first to learn the latest skills, design basic systems, then move onto the next project. Everyone else has to clean up after them.
Whew! (Score:2)
And that's surprising ... how? (Score:5, Insightful)
Especially for PHP you will notice that it is the first, if not the only, language people pick up when dealing with scripting for web pages. ColdFusion always smelled a bit like a web designer tool to get some kinda-sorta interactivity into their designs rather than something a programmer would willingly pick up, and I don't know of anyone who seriously learned programming and didn't give ASP a wide berth.
So what you have there is three languages that are predominantly used by people who cannot program sensibly.
In other words, you are dealing with the usual woes of cargo cult programming and copy/paste code. Code and snippets, copied and gobbled up from whatever sources there are on the net, sample code and code Q&A pages that are slapped together and adjusted to fit the needs. Primary concern: It should work. Security? Doesn't even enter the picture. Not even as an afterthought.
That this results in security bugs is a given.
Re: (Score:2)
>> ColdFusion always smelled
Let me stop you right there. No, seriously, that pretty much sums it up.
Re: (Score:2)
I don't know of anyone who seriously learned programming and didn't give ASP a wide berth.
It's worth noting that ASP isn't even a programming language. It's not a language at all; it's a set of conventions for integrating arbitrary scripting languages into your webserver. Out of the box you can use either vbscript or jscript, and you can also add other languages like perl. And then you can mix them all in a single document. The holes "caused by ASP" were just holes in IIS or in one of the script engines.
I once worked for a company which did websites for bands, and one of the big projects was a m
Re: (Score:2)
And iOS and Android are platforms, not languages.
Flawed study is flawed.
What's a "programming language"? (Score:4, Interesting)
Are "iOS" or "Android" the same as "PHP" or "C++"? I didn't hand in my personal informatoin to get the full study, but the stuff shown on this story's link pegged my bs-meter. Also, I'd hope there's a discussion of 'number of occurrences,' finding 10 bugs, 8 of which are null pointer dereference, should be different from finding 10,000 bugs where 'only' 7,500 of them are null pointer dereference.
And wouldn't it be even more useful to know which languages generate the least number of bugs, per line of code?
Re: (Score:2)
I was about to post exactly this; since when are Android, iOS or .net programming languages? And yeah, measuring flaws per MB of source code - surely there are pretty large differences in source code "density" (i.e. how many characters of source code it takes to get a job done) between the things which actually are programming languages, so that's not really a valid measurement IMO.
Re: (Score:3)
It must be great for Ada, though, because it so incredibly verbose.
Also, just changing your C programs from K&R to GNU indentation style will make them more secure!
Re: (Score:3)
The normal metric for languages like Ada, Pascal and yes C or C++ (those should not be considered the same language!) is "statement" as defined by the grammar, and usually simplified by counting "semicolons". If you figure out how to add preprocessor/header files, you'll probably see that for equivalent applications, the statement count between C and Ada is about the same. That's based on my real-world experience working with both languages over the last 30 years, I have no idea if the parent poster has
Re: (Score:2)
I have no idea if the parent poster has much real experience in Ada (I kinda doubt it.)
I have (sort of), because I have chosen Ada a long time ago as my main implementation language for things that need to be fast. But I'm only programming as a hobby and was joking. Anyway, I didn't want to imply that Ada is more verbose than C. They are both insanely verbose.
Re: (Score:2)
APL is probably the least verbose language ever. Not used much, these days: https://en.wikipedia.org/wiki/... [wikipedia.org] In this context, APL would have a lot going for it. However, understandability is probably none of those....
Re:What's a "programming language"? (Score:5, Informative)
I'm an author of this report, so thought I'd offer some feedback.
First, the iOS applications that Veracode scans are written in Objective C (and probably some C or C++). And the Android apps are written in Java. (Yes, you can write iOS and Android apps using portability frameworks like PhoneGap; we separate those findings out into a separate category.) We used iOS and Android as shorthand so that (a) readers would more readily make the connection with what ObjectiveC meant, and (b) we could separate Java used in Android, which has a distinctive risk landscape, from Java used in other applications.
Second, we choose to report on application prevalence, or the number of applications showing at least one of the vulnerability, rather than number of vulnerability occurrences. The application prevalence metric is more meaningful when talking about the overall risk of a large number of applications. There is value in the vulnerability prevalence metric, when it comes to planning remediation effort, but for this study we focused on the former.
Third, we do report average flaw density metrics in the appendix of the study, along with a discussion of some of the limitations of this metric. I suggest reviewing the actual study (it's only about 20 pages) and then posting any additional questions.
Thanks for the questions and keep them coming.
Re: (Score:2)
Thanks for dropping in with the clarifications!
Re: (Score:2)
Third, we do report average flaw density metrics in the appendix of the study, along with a discussion of some of the limitations of this metric. I suggest reviewing the actual study (it's only about 20 pages) and then posting any additional questions.
I might. Got a link? There's no link to it that I could find either here or in any of the links on this story.
Re: (Score:3)
Since Android is written in Java and C++, why (in your opinion) did Android get such a low bug count compared to Java and C++?
Re:What's a "programming language"? (Score:4, Informative)
They use labels like "Objective C (iOS)", which the article is just shortening to "iOS". Also they report errors as "number of errors per megabyte of source code".
Wish they'd broken down C and C++, they're very different languages in terms of how people typically develop them (non-automated vs. automated memory management). Instead they grouped them together and called them just "C++".
Sad that injection bugs are still so prevalent. Kind of makes me wish that standards for different languages would refuse to accept normal strings as arguments to anything that "executes a statement" (SQL, shell commands, etc), and instead require a custom command-string type/class which does not allow straightforward concatenation (making developers explicitly have to convert types if they want to concatenate, maybe with a conversion function name like "useUntrustedString" or somesuch), with the error message if they try to concatenate without explicit conversion pointing out not just that concatenation is banned, but stating why it's banned. Maybe something like that would finally get people to start using proper parameter substitution...
Query adaptation (Score:2)
Kind of makes me wish that standards for different languages would refuse to accept normal strings as arguments to anything that "executes a statement" (SQL, shell commands, etc), and instead require a custom command-string type/class which does not allow straightforward concatenation (making developers explicitly have to convert types if they want to concatenate, maybe with a conversion function name like "useUntrustedString" or somesuch), with the error message if they try to concatenate without explicit conversion pointing out not just that concatenation is banned, but stating why it's banned.
Say you want to write a SELECT statement in SQL, but you want to give the app's user options for what information is included in a report. These options may cause the statement to refer to different columns in the heading, or a JOIN to different tables, or different columns used for summary (GROUP BY). For these kinds of query adaptation, you can't use a prepared statement because the PDO API allows substituting only literal scalar values (such as 3 or 'kitten') into a prepared statement, not table names, n
Re: (Score:2)
Sad that injection bugs are still so prevalent
Am I the only one who finds it strange that we still do DB access via SQL? How did it become normal to string together code for one language using another? Imagine every time we had to do math, it was via a weird language whose interface was entirely eval()-type operations.
Re: (Score:2)
Just realize that a null pointer dereference isn't necessarily a security issue, it's a potential security issue and it's a potential stability issue.
If the application just bombs when you encounter it and returns a server error page once in a while then it's not a big deal, but if someone can feed the pointer data through a crafted request it's a different matter.
Just use Valgrind and Splint and you will shoot most of the blatant errors. But there are still the area of not so obvious errors that are harder
Reason for this (Score:4, Interesting)
If this was from a dynamic scanning company, I would have suspected these results would occurred because that code often run in environments often configured to show web users raw error output, such as "your database call failed - here's what I tried so you can tune your SQL injection attempt appropriately."
[rant] In general, I've found that the utility of "dynamic" (or pentesting) web scanners has dropped precipitously lately as web apps have pushed their presentation out to Javascript apps (making it easier to probe a finite set of web services with standard testing and fuzzing tools) and almost all new environments are set to display terse "got error - now fuck off" messages to end users (if not just a redirect back to the app's home page) if a probe generates an error (that would have generated useful output 10 years ago). [/rant]
>> Ignoring the first two
This is a horrible assumption to make. I remember I looked at bringing Veracode in house specifically because I had a multi-million line legacy web app written in "classic ASP" that powered several hundred million dollars of annual purchases.
Meaningless conclusion. (Score:2, Insightful)
Observation: Most people are right-handed.
Observation: Lots of people kill each other.
Conclusion: Right-handedness makes you kill people.
Something like 75%-80% of the web runs on php (Wordpress, for example.) Naturally if you examine a large number of sites, most of which run on php, you're going to see more security problems coming from sites that run on php.
Now I'm not saying php hasn't had language-based security problems in the past (and currently), but anyone who still thinks it's as porous as it w
Re:Meaningless conclusion. (Score:5, Informative)
Something like 75%-80% of the web runs on php (Wordpress, for example.) Naturally if you examine a large number of sites, most of which run on php, you're going to see more security problems coming from sites that run on php.
Seriously man? You don't think the researchers thought of that? If you had even clicked on the article, you would know that they did.
.NET - with 32 flaws/MB (9.7 critical flaws/MB)
In any case, here is the full list:
Classic ASP - with 1,686 flaws/MB (1,112 critical flaws/MB)
ColdFusion - with 262 flaws/MB (227 critical flaws/MB)
PHP - with 184 flaws/MB (47 critical flaws/MB)
Java - with 51 flaws/MB (5.2 critical flaws/MB)
C++ - with 26 flaws/MB (8.8 critical flaws/MB)
iOS - with 23 flaws/MB (0.9 critical flaws/MB)
Android - with 11 flaws/MB (0.4 critical flaws/MB)
JavaScript - with 8 flaws/MB (0.09 critical flaws/MB)
Re: (Score:3)
But how many of these critical flaws are SQL injection flaws? As has been observed elsewhere every dam PHP howto seems to be keen on using dynamic SQL queries rather than using stored procedures that more or less kill SQL injection issues stone dead (that is unless you start using dynamic SQL in your stored procedure).
What would be interesting is to see the SQL injection flaws removed from these figures.
Re: (Score:2)
But how many of these critical flaws are SQL injection flaws?
If only there were an article you could read that had this information. Then you could read it and avoid making ignorant questions.
As the article points out, code injection and XSS faults are much more common in PHP than SQL injection flaws.
Of course, it doesn't mean that PHP is the worst language......for example, it could be that the worst programmers most often use PHP. More research is needed.
Re: (Score:2)
Interesting that Java and C++ have more flaws per MB than Android, given android apps are usually written in Java and sometimes with C++ mixed in. This implies more about the average Android coder vs the average Java coder than it does about the languages.
Re: (Score:2)
Re: (Score:2)
php isn't garbage, lots of code that's written in php is garbage.
Re: (Score:3)
Or, I'm sick of people bashing php for things that aren't structural/language issues.
Wondering how they measure this (Score:2)
I assume they give the details on how this was done in their security report, which requires registering to download. From their wording they have a tool that scans for common security issues and report them. So where things ranks depends heavily on how accurate the tool is.
Of interesting note is that java is higher than .NET and C++ on flaws, but lower on the list of critical flaws
Javascript is at the bottom. My guess that is because you generally run javascript on the client, and good server architecture
Re: (Score:2)
Good questions, and I suggest downloading the report to confirm your answers. We won't bite.
We report data in this study largely obtained from binary static analysis, run in Veracode's centralized environment where we can tune our engines for low false positive rates.
JavaScript is at the bottom probably because at the time the data was pulled for this study (six quarters from Q4 2013 to Q1 2015), we only supported JavaScript in mobile application use. We have since added support for JavaScript in the web co
Why ignore the ones that had more than 80% of bugs (Score:3)
A finger is instead pointed squarely at PHP, which, with 25% of the applications represented on the internet, only represents less than 8% of the flaws. Not that I have any particular bias towards PHP, I don't even use it, but the finger needs to be pointed at where the trouble spots are, and Classic ASP tops the heap.
Yesterday, I did a good deed. I taught a guy how to use ADO Commands and Command Parameters instead of inline SQL. He was running the inline SQL through some filters to try to catch certain SQL commands in an attempt to defeat SQL injection. So maybe the flaws/MB in Classic ASP will go down by some tiny iota.
Re: (Score:2)
We have quite a few classic ASP applications running. They were coded over a decade ago when that was what you used to develop web applications on IIS. I'd love to port these to PHP or some other language, but it's a time intensive process (both rewriting the code and testing it to find the bugs that the rewriting process introduced) and we don't have the manpower to rewrite EVERYTHING.
Unfortunately, I've been directed that all new applications are to be written in Cold Fusion. So I'm moving from dead la
Re: (Score:2)
>> I'd love to port these (classic ASP apps) to PHP or some other language...all new applications are to be written in Cold Fusion
Why not port to ASP.NET? I've done that conversion dozens of times now. And what kind of hell are you living in that Cold Fusion is even on table?
The problem is not the language, it is the coders (Score:5, Insightful)
You can write secure code in any almost any language (unless the run-time system is insecure, see for example the history of Java), and you can write insecure code in any language (yes, even in Rust, Swift and Go and other newfangled but not really better hype-languages). The difference is not the language. The difference are the people doing architecture, design and implementation. If some languages have more security problems, that is primarily because these languages attract less competent coders.
Incidentally, absolute numbers are irrelevant. What we need is issues per application.
Re: (Score:2)
Exactly this. Take classic ASP, for example. It's not the most recent language by any stretch of the imagination, but it's easy to check user input and escape it to prevent SQL injection attacks.
SQLQuery = "Select UserID where Name = '" & Replace(UserEnteredName, "'", "''")
Re:The problem is not the language, it is the code (Score:5, Informative)
>> above will allow you to take the user entered name and put it into a SQL query without fear of little Bobby Tables wrecking havoc with your systems
[FACEPALM/] That's not even "checking user input" (i.e., making sure the user submitted an expected response) - that's "mindless scrubbing of a single naughty character."
Please send me a couple of the URLs where your apps live and I'll just go get the rest of I want from there.
Re: (Score:2)
Re: (Score:2)
Thanks for that link. I'm not sure how I didn't know that classic ASP had prepared statements. Of course, my preferred method would be to convert the entire application off of classic ASP, but this might be a good stop gap method.
Managed languages (Score:4, Interesting)
So much, then, for managed languages. I thought managed pointers and garbage collection were supposed to free us from all those ills, but evidentally not.
Shame that further down they perpetuate the myth of the C/C++ language. That language doesn't exist - it's either one or the other. In C you'd use raw memory pointers if you wanted to pass a buffer around, making it easy to access it beyond its boundaries. In C++ you'd pass a buffer object that knows its own size, and either dynamically resizes or at least throws an exception on an illegal access.
Because C and C++ have such vastly different approach to the same problem I'd love to see C and C++ split out.
Re: (Score:2)
Wait a minute. (Score:2)
There's substantial relevant work in ISO (Score:2)
ISO/IEC JTC1/SC22 has had a group looking at programming language vulnerabilities, including (a) how to define a 'vulnerability'; (b) how to assess languages against those definitions; (c) an assessment of languages (that have de-jure standards) for vulnerabilities, and related work. There is an introduction here http://www.open-std.org/jtc1/s... [open-std.org] and the work is documented here: http://grouper.ieee.org/groups... [ieee.org]
(Do you suppose the authors of this report are aware of the ISO work?)
More complex than the headline. (Score:3)
Some examples where things are more to do with the context than the language.
For example, SQL injection very very high proportion of php code deals with a SQL database. However in other languages, this isn't quite as ubiquitous. The likelihood that a C++ application even touches SQL is far lower than a php application. Same for XSS (they referenced locally running iOS and Android applications, suggesting that not all code might even be dealing with scenarios where XSS is applicable).
There are a few things where language choice is a factor (buffer overflow, buffer management), but there's a lot of attempts to compare very different applications to each other and assume equivalence.
This is about problem domain where the language is popular more than it is about the language. It's an interesting commentary on the sorts of mistakes developers should be on the lookout for and perhaps motivation for language runtimes to think about things they might possible mitigate, but hard to say 'php is plain worse than objective c', which is what the report is saying.
Our developers make even more (Score:2)
Correlation vs causation (Score:2)
I don't see any proof of causation, only correlation and even that is not well documented since there is no attempt to correlate programmers to bugs, or application type to bug or industry, etc, etc, etc.
If MOST applications written by crappy programmers are done in a industry that normally attracts people that taught themselves to program yesterday and pays accordingly is there any surprise they might have a lot of security issues?
Wordpress is designed to be used by people that have no idea how to spell se
OK, so what do I do now (Score:2)
PHP is the worst (but not really) (Score:3)
I say this as a long time PHP developer. I've fiddled with other scripting languages (Python, NodeJS, Java/Tomcat), and I just find they are not very well suited for a web environment, so I always come right back to PHP.
The problem is actually a few different things, not necessarily related to PHP itself:
- Outdated installations are everywhere
- Outdated and very poorly written Tutorials are even more prevalent
- Lack of general understanding of security is a problem not relevant to any programming language
Many of the security problems with PHP have been addressed long ago when the initial release of PHP 5 came out, and a few more since then.
When interfacing with a Database, developers are now using PDO or a mechanism provided by their framework (usually built on top of PDO). This in and of itself has completely eliminated SQL injection attacks. The problems still cropping up are legacy applications that haven't been updated. Many of these can partially be attributed to outdated PHP installations.
The majority of web hosts run cPanel. cPanel has been making big changes to their product. A few things they have done recently:
- Dropped support for old PHP versions (oldest supported is now PHP 5.4)
- Shifting to a binary package system (via yum repository) for PHP/Apache with safer default configs; previously it was up to the Admin to compile, install, and configure, also supports automatic updates
- Included a mechanism in Apache to configure/utilize multiple PHP versions on a per-user, per-directory basis
- Included support for Apache MPM-ITK [sesse.net]; allows each virtualhost to be run as a specific UID:GID instead of all sites running under the same UID, greatly increasing per-account security so long as each accounts file permissions are secure.
Re:PHP is Fine (Score:5, Insightful)
The problem is the users, PHP is so ridiculously easy to write it leads to people making horrible insecure "awesome" webpages.
I'll let you in on a little secret, the problem is always the users, regardless of technology. That's why some disciplines have separate security tracks from their development or administration tracks, because the concepts run completely contrary to each other. Development is there to provide access. Security is there to prevent access. At some point the two need to come to a compromise, but trying to get developers to do security is about as useful as trying to get security professionals to do development.
Re: (Score:2)
Indeed. PHP coders suck (on average).
However, a language that makes it too easy to write code will always have this problem. I tend to not blame the language for that, but the causality is there.
Languages make bugs easier (Score:2)
Languages make it easier or harder for programmers to inadvertently make bugs.
Re: (Score:3)
These bugs are mostly irrelevant. The ones that matter is where the programmer did not understand the code he/she wrote. And that is a problem before the keyboard.
Re: (Score:2)
These bugs are mostly irrelevant. The ones that matter is where the programmer did not understand the code he/she wrote.
Languages make it easier or harder for a programmer to reason about the behavior of the code he/she wrote.
Re: (Score:2)
Not really. In the end, you are programming a machine through an interface. If the language makes that significantly harder or easier for you, then maybe you should not be doing this in the first place.
Re: (Score:2)
Interfaces have become too large for a human being to keep in his short-term memory. So if it's acceptable for an interface to make it too easy for a human being to accidentally produce insecure code, then perhaps you're right that human beings in general "should not be doing this in the first place."
Re:Are all ten of them Java? (Score:5, Interesting)
Just wondering.
Java is the 4th highest, with about 2% of the flaws found being Java. I'm really shocked that Java shows up higher on the list than Javascript. If ever there was a language where people copy and paste somebodiy's working code and try to mangle it to work for their own purposes with no understanding of the actual language or security thereof, it is Javascript.
Re: (Score:2, Interesting)
Re: (Score:2)
That brings up a great idea for a new language. It could have the syntax of any language that you want to start with, but the compiler ensures that copied code Just Works(tm). Or even better, you don't even have to copy the code, you just need to type the google terms that result in the appropriate SO question as the first hit.
Full Stack (Overflow) Developers (Score:2)
Or even better, you don't even have to copy the code, you just need to type the google terms that result in the appropriate SO question as the first hit.
That'd bring new meaning to "full Stack developer" [christianheilmann.com].
Re: (Score:3)
Nice link. But how can one deny the beauty of this new language?
Example: Hello world
stack overflow java hello world
Example: Print Fibonacci numbers
python generate fibonacci numbers
python how to print a list
Example: Normalize a vector to length 1
c++ callback function fill array with values
c++ array out of bounds error
c++ how to install boost
c++ smart pointer initialize array with zeros
c++ normalize multidimensional vector
c++ how to install gsl
c++ convert array to gsl vector
c++ how to end
Re: (Score:3)
2)Direct users to my website supported by page view adds
3)Profit
Re: (Score:2)
This is off-topic, but I've the Karma to burn. Every time I see your signature, I cringe from the formula proving the exact opposite of the statement you're trying to make... My OCD just got the better of me today. If the error was deliberate, I congratulate you on a successful troll.
// Declarations
//Solve for M //The substitution of K for P and M for t
Knowledge = Power AS K = P;
Time = Money AS t = M;
Work AS W
P=W/t;
K=W/M;
KW = M;
therefore: Money is equal to Knowledge multiplied by Work.
Re: (Score:3)
K = W / M Multiplying both sides by M
K M = W M / M
Simplifying
K M = W
Dividing by K
K M / K = W/K
Simplifying
M = W/K
Re: (Score:2)
Or even better, you don't even have to copy the code, you just need to type the google terms that result in the appropriate SO question as the first hit.
The first joke I saw about this was Stack Sort [xkcd.com] (take the first SO search result for sorting, apply that to the list, loop down the results until it's sorted). This has of course been implemented.
Since it's been implemented, you could do a meta version - search for "stack sort implementation", and run that code!
Re:Are all ten of them Java? (Score:4, Interesting)
The report only concerns security bugs, not all bugs. Most security issues with JavaScript are likely to have been hammered out now.
But JavaScript do fail from time to time on web pages, especially if there's a web page that do something that was permitted in an earlier version but not permitted any longer due to a security issue with that functionality. Another headache with JavaScript that most programmers today have rectified is browser differences.
Some browsers have taken in functionality from competing browsers to ensure compatibility so some issues with JavaScript have been resolved that way as well.
Java libraries - they are good, but also a curse since you can't ensure that you get everything right with the library functions in all cases. Experienced programmers may have their own library of JavaScript functions to use when they make their web stuff.
Re:Are all ten of them Java? (Score:4, Informative)
An important clarification: as the report states, during the period from which this data was drawn, Veracode only supported analyzing mobile JavaScript applications (mobile applications built using cross-platform JavaScript based frameworks like Titanium and PhoneGap). Since this period we've added support for analyzing both JavaScript in the web client (e.g. JQuery based applications) and on the server (Node.js based applications), so the results should be interestingly different next time around. But this limited JavaScript support is a reason that we didn't seek to draw any broad conclusions based on the language in this study.
Re: (Score:3, Interesting)
>If ever there was a language where people copy and paste somebodiy's working code and try to mangle it to work for their own purposes with no understanding of the actual language or security thereof, it is Javascript.
In the majority of web applications the client is given limited scope by the server. Clients can't be given full trust because anyone can create their own malicious client. Security bugs are therefore on the server. Today most javascript is still client side. Yes, node.js has been ma
Re: (Score:2)
None of them are Java.
What everyone must be aware of is that the security issues that exists with Java have primarily been related to the plugin in web browsers, where attackers could gain access to the client machines through specially written applets. Server side Java has rarely been the problem, and most of the server side Java problems have been due to badly written applications not the language itself.
My personal experience is that using a language that requires compiling vastly decreases the amount of
Re: (Score:2)
A correction, none of the top three are Java.
Re: (Score:3)
Java web apps would typically split the presentation, logic and storage from each other and the storage would be via Hibernate / OpenJPA. These impls would tend to be robust and prevent most forms of injection attack.
But are they indexed? (Score:2)
Java web apps would typically split the presentation, logic and storage from each other and the storage would be via Hibernate / OpenJPA.
Do you also advocate separating storage from search? SQL can do both in one command. How does search work in Hibernate / OpenJPA? Does the application have to maintain all indexes itself?
Re: (Score:2)
I agree, and having SQL inside the source of scripting language also opens a different can of worms - the possibility that an attacker can download the scripts and understand the database model and through that craft targeted attacks.
Re:Are all ten of them Java? (Score:4, Informative)
Java actually compares favorably against C# and C++ when you rank it based on the number if critical flaws:
1. Classic ASP - with 1,686 flaws/MB (1,112 critical flaws/MB) .NET - with 32 flaws/MB (9.7 critical flaws/MB)
2. ColdFusion - with 262 flaws/MB (227 critical flaws/MB)
3. PHP - with 184 flaws/MB (47 critical flaws/MB)
4.
5. C++ - with 26 flaws/MB (8.8 critical flaws/MB)
6. Java - with 51 flaws/MB (5.2 critical flaws/MB)
7. iOS - with 23 flaws/MB (0.9 critical flaws/MB)
8. Android - with 11 flaws/MB (0.4 critical flaws/MB)
9. JavaScript - with 8 flaws/MB (0.09 critical flaws/MB)
I think there is something wrong with their test method, skewing the JavaScript results.
Re: (Score:2)
I looked at the article and didn't see a definition of "MB" anywhere. Are they talking flaws per megabyte of code? If that's the case, then yeah, PHP and ASP are going to be a fuckton higher than C++/Java, because they don't require all the boilerplate code of classes. Yeah, classes are available, but so is a simple 1-liner "hello world".
However, totally agreed that their testing methods are bullshit in one way or another when it comes to Javascript. 86% of PHP apps have XSS exploits? Wouldn't this be JavaS
Web APPS in what language? (Score:2)
So what languages for apping web apps aren't Luddite? Now that Swift is free software, would it be worth it to tailor Swift for server-side use [github.com]?
Re: (Score:2)
I don't see how Taylor Swift can solve this problem
Ask the headline writer for El Reg [theregister.co.uk].
javax.servlet != android (Score:2)
Two of the items on the list, iOS and Android, are not programming languages. Why do they appear on a list of programming languages?
Because it's poorly named and should have been called a list of "platforms" more than languages. The opportunities to introduce defects using Java in the javax.servlet framework are very different from those using Java in the android framework. Likewise, the characteristics of bugs in C# and Visual Basic web apps should be fairly similar because both use the ASP.NET framework.