Which programming languages are the least secure?
A review from WhiteSource showed which of the programming languages have the largest security holes. The winner of the anti-rating is C. But this is only the beginning of the story.
Technology as a whole is stuffed with security bugs. At a low level, these are errors in hardware. So it was with Intel vulnerability and Specter errors. Slightly higher are holes in the security of programming languages. And there are a lot of them!
Recently, OpenSource WhiteSource, a security company, conducted vulnerability research in seven of the most common programming languages in the last ten years. The company used its language security database to detect errors. It contains open source vulnerabilities from several sources, such as the National Vulnerability Database (NVD), security instructions, GitHub`a trackers, and open source projects.
The company identified the following languages: C, Java, JavaScript, Python, Ruby, PHP, and C ++. And this is not surprising. Like which language has the most security errors. By a wide margin, this is X. More than 50% of the detected vulnerabilities were in it.
As Kees “Case” Cook, a Linux Linux kernel security engineer at Google, recently noted: “C is an improved assembler. Almost a machine code. " In addition, “C carries troublesome baggage, vague behavior and other weaknesses that lead to security gaps and infrastructure vulnerabilities.”
However, WhiteSource claims that “you cannot say that C is less secure than other languages. A large number of vulnerabilities in the open source C code can be explained by a number of factors. For starters, C has been used longer than the other languages that we explored. It has the largest amount of code written. It is also one of the languages behind such important infrastructures as OpenSSL and the Linux kernel. This combination of volume and center position explains the large number of known open-source vulnerabilities. ”
WhiteSource caught the point. But, despite decades of programming and dealing with C, there really are ways in this language to make terrible security errors too easily. For example, there are a large number of examples of undefined behavior in C, which opens up opportunities for all kinds of troubles.
At the same time, C ++ became famous for vulnerabilities of the highest degree of danger over the past five years. Buffer errors that have plagued C for a long time are often detected in C ++.
The figures do not reflect the whole picture, if we talk about which language is most or least protected.
(Image WhiteSource)
With this JavaScript is probably the most popular language. And the only one that showed "a continuous increase in the number of vulnerabilities over the past 10 years."
WhiteSource emphasizes that before taunting JavaScript, please note that these results are misleading. Most of the Common Weakness Enumeration in JavaScript consists of exits from the designated directory and holes in the cryptographic protection of JavaScript packages that are barely used and supported.
Why then are these and other language problems in sight? New automated programs, such as Source Code Analysis Tools, are discovering vulnerabilities that would otherwise be overlooked.
The only language that has shown itself well regarding security holes is (drum roll!) - Python. Yes, good old often ridiculed Python.
Almost all languages contribute to the General Vulnerability List. Two errors from the list were leading and were reported in 70% of cases: Crossite Scripting (XSS), also known as CWE-79 and Inadequate Input Validation (CWE-20).
Other common errors: Leak / Disclosure (CWE-200), Out of bounds directory (CWE-22) and CWE-264 - Permissions, privileges and access controls. The latter has recently been supplanted by its more specific and close relative - Improper Access Control (CWE-284).
But is C really the worst and Python the best? WhiteSource believes that this is too simple a conclusion: "Although the game" My programming language is safer than yours "is definitely a fun way to spend time ... the answer does not seem to help you create more innovative or secure software."
Conversely, you should spend more time "staying on the cutting edge of open source vulnerabilities, understanding the strengths and weaknesses of the programming language that you and your team use."
Ultimately, security comes down not to programming languages, but to how you use them.
→ ACTION: 40% discount on IaaS for developers.
Steven J. Vaughan-Nichols for Linux and Open Source
Original article