We all have a favorite programming language for one reason or another. Either you like the syntax, the tools you can use it with, or you are just plain used to it. Does a language’s security come into play when you consider this?
A report from WhiteSource examines the security vulnerabilities in popular programming languages.
What are their top picks for the most secure programming language?
May 13 – 14: Building Reliable Systems
Russ Miles
May 16 – 17: Reactive and Asynchronous Java
Richard Warburton & Raoul-Gabriel Urma
May 16 – 17: Building Microservices
Sam Newman
Language vulnerabilities
Let’s look at the list from the report and break it down.
Total reported open source vulnerabilities per language:
- C (46.9%)
- PHP (16.7%)
- Java (11.4%)
- JavaScript (10.2%)
- Python (5.45%)
- C++ (5.23%)
- Ruby (4.25%)
WhiteSource pulled their info from their database which includes multiple sources including “the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source project issue trackers”.
Security profiles
While at first you might be shocked by large number boasted by C, the numbers don’t tell the whole story. C is an older language and behind a lot of large projects. (C has been around sine 1972! It’s seen the rise and fall and rise again of bell-bottoms.) Overall, when you take this into consideration, it is still a secure language.
Workhorse languages like Java are used by a large percentage of the programming population, which explains its rather high position on the list. High security vulnerabilities for Java have declined since 2015. One of Java’s biggest security problems is represented by deserialization issues. Deseralization issues are typically unique to Java and aren’t found in PHP, Ruby, or Python.
JavaScript often ranks as the number one most popular programming language, so take that in mind when considering the rise in its vulnerabilities. According to the research by WhiteSource, “61% of the JS vulnerabilities are path traversal and crypto, 70% of those packages are barely used, maintained or supported, and had less than 2000 downloads in 2018”. One of the reasons people avoid downloading these package is thanks to the popularity of automated tools.
When it comes to PHP, security vulnerabilities are fairly consistent. However, it does have issues regarding SQL Injection (CWE-89) vulnerabilities. This puts a big dent in PHP’s armor. In 2017 and 2018, SQL Injection vulnerabilities were high. Lately PHP has been falling in popularity. We don’t know what its future holds; anyone have any predictions?
Now it’s Python’s time to boast. On average, it has the lowest amount of high security vulnerabilities over the past 5 years. In 2018, security vulnerabilities in the language decreased and has overall been decreasing since 2015.
Silver linings?
Don’t let the numbers fool you and think that right off the bat one language is inherently better than another. The report gives this valuable statement:
When we crunch the numbers and review the amount of reported open source vulnerabilities per programming language over time, what stands out is that there is no consistent trend for all languages apart from the fact that all languages saw a significant rise in the number of reported vulnerabilities in 2017.
WhiteSource Annual report: The state of open source vulnerabilities
Is security getting worse? Or are we just getting better at finding vulnerabilities? Don’t sound the alarm bells yet.
The report goes on to explain that automated tools have become better at finding vulnerabilities in open source components, and that is one of the big reasons why the number is rising. In fact, “the percentage of critical vulnerabilities is declining in most of the languages we researched, excluding JavaScript and PHP.”
Asking which language is “the most secure” is a tough question without an honest, definitive answer. There isn’t one kind of security and every language has its use cases.
You can download the report and further examine the data that WhiteSource compiled.
What do you think about the report?
The post Which programming language is the most secure? High security vulnerabilities for Java have declined since 2015 appeared first on JAXenter.
Source : JAXenter
