Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Programming Bug Java PHP Python Ruby Stats

Which Programming Language Has The Most Security Vulnerabilities? (techrepublic.com) 330

A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.

Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:
  • C (47%)
  • PHP (17%)
  • Java (11%)
  • JavaScript (10%)
  • Python (5%)
  • C++ (5%)
  • Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.


This discussion has been archived. No new comments can be posted.

Which Programming Language Has The Most Security Vulnerabilities?

Comments Filter:
  • by hcs_$reboot ( 1536101 ) on Sunday March 24, 2019 @10:42PM (#58328490)
    but the programmer that uses it.
    • by hcs_$reboot ( 1536101 ) on Sunday March 24, 2019 @10:45PM (#58328508)
      But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).
      • Re: (Score:2, Interesting)

        by Narcocide ( 102829 )

        It is only really the default configuration of older PHP versions that make it so much more practically insecure. In reality, JavaScript should be higher up on this list, because some of it's innate behaviors are so badly designed they cause vulnerabilities that can't be mitigated in any way other than simply not using it.

        • by ShanghaiBill ( 739463 ) on Monday March 25, 2019 @01:38AM (#58329064)

          PHP has more than a dozen different ways to connect to a database. PHP has a long history of glomming on new APIs, but never deprecating the old, even when shockingly insecure. This is especially bad for PHP because most of PHP's user base are low IQ Wordpress extension hackers who are not qualified to be making security decisions on their own.

          • by AmiMoJo ( 196126 ) on Monday March 25, 2019 @03:52AM (#58329370) Homepage Journal

            The same is true of C programmers though, far too many of them don't understand the language and just hack stuff together to fulfil the contractual obligations and then disappear.

            Contract work is a particular problems. There was a study recently, sorry I lost the link, where they put out contracts for a basic login page. Most of the developers didn't bother storing the password securely at first, then when asked managed to botch doing it. Contract work encourages minimum effort and throwing unsuitable libraries at problems, and often the person checking for completion doesn't understand the security issues.

            • by ctilsie242 ( 4841247 ) on Monday March 25, 2019 @07:22AM (#58329948)

              I would say that everyone is right here. C, it is easy to make mistakes which cannot happen in Java or Python, like not watching where pointers are going, array out of bounds issues, and other stuff.

              However, part of it is modern coding in general. The last several "Agile" places I worked at were in permanent sprints, and the job of the developers is to get a feature that marketing already sold to the customer into the product. It doesn't matter if it doesn't work, or is horrifically insecure. It is about making those deliverables in time. When one was made, marketing had two more waiting to be done, so it never ceased.

              In most places, one can easily wind up having their job outsourced/offshored if they don't make deliverables. On the other hand, something horrifically insecure that causes every customer to have a backdoor to the world, the developer is insulated from that, through many layers of corporate bureaucracy, so even if there are lawsuits, the developer would likely feel no consequences.

              tl;dr, blame the programmer, not the tools. However, some languages require more thought to program safely/securely than others.

              • I wrote a kernel module not long ago... in C. I was extremely diligent to make the code as clean as possible and to make the memory and error management as perfect as possible. I even added as many checks as I could. I wrote massive amounts of unit and integration tests. I configured multiple static code analysis systems to keep the code as pristine as possible... you shouldn't even be able to look at the code without causing some warning to be generated.

                Then we got to procfs which is a bleeding disaster.

                No
          • Its like the what dogs bite the most people scenario, yes Labradors are way up on the list, but only because theres so many of them compared to other breeds.

        • It is only really the default configuration of older PHP versions that make it so much more practically insecure.

          So the fact that PHP can introduce weird bugs due to surprising behavior of even basic operations is irrelevant for security now?

          In reality, JavaScript should be higher up on this list, because some of it's innate behaviors are so badly designed they cause vulnerabilities that can't be mitigated in any way other than simply not using it.

          And an example of that would be...what exactly?

      • by gweihir ( 88907 )

        But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).

        No. The only thing PHP does is to make it easier for bad coders to create really simple to exploit vulnerabilities. Anybody competent will write code just as secure. It may take them longer because PHP is a really, really bad design that no good coders would use given a choice. (If you think different, then you are not a good coder. Sorry. It is completely clear and you are deluding yourself. PHP ignore fundamental principles of good engineering in many places.)

        • by hcs_$reboot ( 1536101 ) on Monday March 25, 2019 @12:55AM (#58328954)
          Of course the programmer creates security holes by how they use the language. But in PHP (more the case in older versions) some "features" gives a sense of security while they actually don't. 'addslashes()' vs 'mysql_real_escape_...' for instance ; 'strpos' that returns 'false' if not found (instead of -1) so in a 'if' the programmer might misses a position at 0... Local functions are actually not local... etc... etc... All of that is Ok when you're used to the language, but they're just counter-intuitive traps that even a good programmer may fall into at the beginning.
          • by gweihir ( 88907 ) on Monday March 25, 2019 @01:52AM (#58329104)

            I agree. PHP has traps by surprising behavior. One of the corner-stones of secure coding is the Principle of Least Surprise and PHP violates it repeatedly. Still a good coder will find these and just not trust the language anymore and be extra careful. This makes coding slow and not fun and expensive, but it can be done. An average or worse coder (the majority of them) will just fall in the traps and create insecure code. However, an average or worse coder will still screw up more than acceptable in a well-designed language.

            • I agree. PHP has traps by surprising behavior. One of the corner-stones of secure coding is the Principle of Least Surprise and PHP violates it repeatedly.

              So does Python; hasn't hurt either of them popularity-wise.

              • Re: (Score:3, Insightful)

                by gweihir ( 88907 )

                Python is not nearly in the same class here.

        • by Sique ( 173459 ) on Monday March 25, 2019 @01:57AM (#58329120) Homepage
          If you think that a good coder has to avoid certain languages, I have news to you: Ed Post (1982) [mit.edu] begs to differ.

          [,,,] the determined Real Programmer can write FORTRAN programs in any language.

          Ironically, this is an article why Real Programmers avoid Pascal.

          • by gweihir ( 88907 )

            What is the relation between your statement and what I wrote? Can you explain?

            • by Sique ( 173459 )
              The idea that you disqualify as a coder if you code in certain languages.

              I'll code in any language you throw at me if necessary. Sometimes, you have to do with the things at hand. Life is not a picnic.

        • No true Scotsman would write insecure PHP code, right?

          • by gweihir ( 88907 )

            You need to read up on how that fallacy works. Here is a hint: It requires a disconnect between the group-characteristic and the excluded examples. That disconnect is missing in my statement and hence the fallacy does not apply.

            • Nah, that fallacy doesn't work that way. Besides, your statement, is, in fact, even worse, because it is also an example of circular logic.

      • by Z00L00K ( 682162 )

        Most script languages are written in C.

        C is a good language for focused functionality where performance or detailed control is important like hardware drivers, but when you look at bread&butter code then there are actually better languages. The problem is that not all those languages are as portable as C to other environments or even between versions due to breaking backward compatibility.

        A C program written in K&R style can still be compiled even if the compiler may moan quite a bit about obsolete

      • I wonder then, if you took a random group of programmers, and gave them all a fixed amount of time to produce some sort of output in different languages, how many of them would (a) finish in time and (b) produce a secure output.

        My point is, much like yours, that some languages make it easy to be reasonably secure, others make it quite hard. Any language can produce secure code, but given it's somewhere on the easy/hard spectrum, which one is the quickest to produce a secure output? Additionally, which one p

    • by gweihir ( 88907 )

      but the programmer that uses it.

      And that is the only aspect that matters. Anything else is a red herring or a minor issue. But too many people that think they are competent to voice their opinion on the matter cannot see that and hence the mess continues. Will probably take a few really large disasters to change anything here.

    • but the programmer that uses it.

      Exactly. C is the hard parts. Lots of mistakes are made.

      It opens whole markets.

    • Most likely the libraries they use.

      E.g. below one is nitpicking about PHP and he obviously does not know that PHP got greatly improved during the last ten years.

      OTOH there plenty of mistakes you can make by simply configuring your server wrong, then the language does not really matter ...

    • We can fix that: Simply replace humanity with a different humanity that is capable of writing secure C code.

      Or we can use memory-safe languages where possible.

      I vote for the latter.

    • Also to note what the programming language is used for.
      If I am tasked to program an "Enterprise" Class application I will be using C,Java,C++ (And Javascript if there is a web front end) because these are the languages the big Execs expect to be codded in, There is still a wide hiring base for expansion, Other "Enterprise" Applications are codded in these languages, and these languages have support from many big players. Despite the fact that I normally shutter when I hear "Enterprise" class, because it i

  • by LynnwoodRooster ( 966895 ) on Sunday March 24, 2019 @10:44PM (#58328506) Journal
    The more flexible the language, the more ways you can screw up and allow a security hole.
    • In this case Perl should be in the top 3.
    • The more flexible the language, the more ways you can screw up and allow a security hole.

      Case in point: PERL.

  • by thoth_amon ( 560574 ) on Sunday March 24, 2019 @10:54PM (#58328548)

    Language design unquestionably makes certain programming errors more difficult or even impossible. This is not mere tilting at windmills: many of the classes of errors that are removed are extremely important and damaging ones. Other language features can force programmers to think through their designs more and/or make their code more clear and expressive. Some language designs can even limit and constrain the possible logic errors that a program can commit.

    Obviously, naturally, a better programmer will write more secure programs, in any language. But that's not a very interesting question. The interesting question is whether two equally skilled, equally disciplined programmers will write equally secure programs when one of them is allowed by the language to do anything, and the other has many guardrails in place to prevent errors.

    • by gweihir ( 88907 )

      No. You cannot force people to think. The avoidance of thinking is one of the most refined skills in the human race. No tools can help here. This false belief is at the root of the current mess, were more and more effort is poured into languages with no real effect. Of course, the motivation behind this is to avoid addressing the continued management failure in both hiring cheap, incompetent coders and in making tech decisions.

  • by reanjr ( 588767 ) on Sunday March 24, 2019 @10:55PM (#58328556) Homepage

    The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

    • by gweihir ( 88907 )

      The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

      Especially if run on the inferior "Intel" implementation.
       

  • by middlefeng ( 5826674 ) on Sunday March 24, 2019 @11:05PM (#58328620)
    Around 99% of vulnerability happens in parsing (general speaking, including string handling). If you make decision to take Lua as the format and take Lua parser as parser, done. Almost zero vulnerability.
  • Modules (Score:3, Interesting)

    by Antique Geekmeister ( 740220 ) on Monday March 25, 2019 @12:00AM (#58328806)

    I'd list all of the public and semi-public repositories that publish modules for automatic installation and update. These include pip, ant, maven, gradle, CPAN, and gems. The Java repositories used by ant, maven, and gradle tend to have unknown binaries and unknown provenance, with no reliable way to evactly recreate the published jar files. Ruby gems have a similar issue. CPAN and pip rely on upstream source code for local deployment or compilation but are also very vulnerable to their default download of the most recent version of any module, which may or may not interact badly with other obsolete or updated modules. It's why many operating systems publish packaged binaries, and it's why the "compile as needed" operating systems cannot be stable and _cannot_ be thoroughly secured.

    • Don't forget npmjs. npmjs comes with the added bonus that a ranting author can delete all versions of all of their modules thus breaking previously working installations.
      • Wouldn't that merely break new deployments of those modules? I'd not expect it to break already deployed systems.

        • Not when it comes to build servers. npm ci deletes the node_modules folder and downloads all the packages again from scratch. You need to turn off npm ci build step and commit hundreds of megabytes (or more) of node modules to your VCS to ensure reliable builds.
    • The Java repositories used by ant, maven, and gradle tend to have unknown binaries and unknown provenance, with no reliable way to evactly recreate the published jar files.
      That is nonsense.
      First of all the source code comes from a source code control system, secondly if you use maven/gradle then the jar repository usually always contains a code.jar and a source.jar (and the 'make file' to make one from the other).

  • by gweihir ( 88907 ) on Monday March 25, 2019 @12:15AM (#58328844)

    First, usage is not evenly distributed. Second, some things you can only do in one language. And third, there are different groups of coders for each language. Take C coders, for example. If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

    And then you have that vulnerability is not the same as vulnerability. Simple counting metrics are basically always fundamentally flawed and give you a completely unrealistic picture. If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability that just allows you read access to some not very critical data, then the result is utterly meaningless. You also get situations were what is one vulnerability in one language counts as several in another, for example because it is a combined vulnerability in a library in one and separate simpler components in another.

    Hence statistics like this one do a lot of harm by confusing the issue and help not one bit to actually see a fragment of reality. They abstracted too much away. It is like, for example, they judge whether people are good or bad according to their beer brewing skills. You will find good beer brewers that were mass-murderers, and ones that were saints. The results of such an evaluation is completely meaningless.

    • Re:This is nonsense (Score:4, Interesting)

      by imidan ( 559239 ) on Monday March 25, 2019 @01:38AM (#58329062)

      If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability...

      I knowingly created a vulnerability in a single sign-on system that I implemented. I did it for expediency. But when I did, I spoke with my boss about it first, and then we all talked about it at a staff meeting to try to determine ways that it could be exploited. The two we came up with involved a bad actor who already had unrestricted physical access to a logged-in user's machine, or a bad actor who had reality-defying luck at guessing a UUID within a 24-hour period. In either case, the attacker couldn't gain access beyond the user they impersonated. It was decided that even though a vulnerability existed, successful exploitation was unlikely.

      The point being, as you say, not all vulnerabilities are made equal. If you can determine the risk of exploitation, the value of the system being protected, and the cost of recovery from a bad action, and accept all of that, then maybe the cost of eliminating the vulnerability is greater than the expected cost of dealing with an exploit.

      • by gweihir ( 88907 )

        As soon as you documented this very carefully and very hard to miss in the code and in the written documentation, I have absolutely no problem with this approach. Competent risk management is not about perfection, it is about balancing cost and risk-costs and avoiding catastrophe-level events.

    • If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

      Do you? Is that why the top 6 products [cvedetails.com] with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities [cvedetails.com] in 2017?

      C coders don't seem to be that great at security.

      • by gweihir ( 88907 )

        You seem to be functionally illiterate. Because what you criticize is very clearly not what I said. I did, in fact, not make any claim as to Linux security vs. other products. But that seems to have completely escaped you. Which is hilarious, because you even quote the line that you were unable to comprehend.

        • Don't cry just because C has let you down. Recognize Cs failings and move on to a better language.
          • by gweihir ( 88907 )

            You continue to be clueless. I did not claim C was a good or bad language either. I just used it to explain a deep flaw in the comparison made.

            • Nope, I just occupy the real world as opposed to being siloed in the deluded fantasy you wish the world to be. Where are these mythical programmers that will finally write secure programs in C? Why have they done such a terrible job so far? When will they improve? When will they deliver? When will you deliver anything to back your claims?

              It's time to put up or shut up, kid.
      • Do you? Is that why the top 6 products [cvedetails.com] with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities [cvedetails.com] in 2017?

        You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

        What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

        The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabili

  • You forgot assembler.

  • tops the list because it's the oldest language with "the highest volume of written code"

    It would've been easy to break numbers down by lines of code, wouldn't it?

    Likewise by the year the code was written and whether or not it is currently being maintained (say, did the repository get an update within the past 3 months?).

    • by dwpro ( 520418 )
      Bug/loc would just boost the rankings of languages with extra boilerplate.
      • by Tom ( 822 )

        There are a couple LOC counters that ignore comments and don't count lines with only opening or closing paranthesis etc. etc. - it's not like this is the first time the issue appears.

  • by LordHighExecutioner ( 4245243 ) on Monday March 25, 2019 @04:27AM (#58329452)
    ...but neverthless have a very large volume of written code, from TFA we can conclude that COBOL and FORTRAN are the safest language to use.
  • by ytene ( 4376651 ) on Monday March 25, 2019 @05:31AM (#58329640)
    The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

    But a better measure would be defect density , or the number of vulnerabilities found per thousand executable lines of code. An even better measure would then take that data and factor it using an independent vulnerability severity assessment, such as CVSS2.0 (for example).

    Even this approach will leave us with concerns. The results could be massively skewed, for example, if the C++ dataset comprised deeply complex code, whilst the PHP sample (for example) were largely comprised of trivial read-only presentation formatting statements. In order to attempt to make such analysis comparable, it would be necessary to compare equivalent functions written in different languages. In this context, by "function", I am referring to code objects that deliver either identical or similar functionality, such as input validation.

    Unfortunately, the variables don't end there... The OP suggests that code was drawn from a variety of sources, including GitHub, public issues trackers and public development projects... Even the most cursory glance at GitHub projects will easily demonstrate the huge variance in ability of project contributors. This means that it is entirely conceivable for the test results to be distorted by nothing other than the relative ability of contributing programmers.

    This is a really nice idea and we should encourage more and better attempts at helping us to understand what it takes to write defect-free code. However, I'm not entirely convinced that this analysis considers all pertinent factors and therefore am not likely to be completely persuaded by the results.

    I would also like to better understand the impact of things like good project discipline on the outcome of this analysis. For example, what are the differences between a project which has really strict internal rules for things like variable, object and function naming? How about something as innocuous as code formatting - things like indentation, line wrapping and so on? What about the toolset and platform? The IDE used? The project discipline with regard to code re-use? All of these are "tells" - indicators as to the sort of defect density we should expect. They will not be uniform across randomly sampled software projects.

    In my experience [maybe 10 years developing in a 30-year career] I would say that adherence to these sorts of "programming disciplines" is actually [much] more important than the language you use. Unless you pick a turkey of a language, you should be choosing it because it's philosophy and structure, it's approach to solving problems, most closely aligns to what you are trying to achieve.

    And as a mentor once told me: "Just remember, the fastest, leanest, most efficient and compact piece of code can be replaced by something which is 5% slower, takes up 5% more memory and is 5% less efficient - but which is easy to understand, debug and maintain."

    Quite possibly one of the most useful pieces of advice I've ever received...
    • Correct. In simpler terms: we need to measure the frequency of vulnerabilities per volume of code written by similarly-experienced programmers; the difficulty in teaching people to avoid those vulnerabilities; the ease in which lazy programming can create vulnerabilities; the scope of an exploit; and the stability of executing an exploit.

      C#, for example, seems to be less vulnerable than Java for...some reason. I don't know why. Java seems to have failures that it shouldn't have, and C# should only be b

    • by lgw ( 121541 )

      The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

      You've confused C and C++. C was 47%. C++ was 5%. It's almost as if they aren't the same language.

  • So...we're measuring a language's security by the applications that were written in it?

    Anyone else have an issue with this?
    I call BS. You can NOT measure the language's security via the applications written it in. You MIGHT be able to gauge a languages popularity given the number of applications written for it (I do). You MIGHT be able to determine the effectiveness of a language *IF* you take the number of applications with vulnerabilities and divide that by the total number of applications written

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...