Monday 26 May, 2014
There are a number of reasons why a developer might choose a particular programming language. The reason might be that it’s deemed the fastest or easiest option. They may simply choose a language they’re the most familiar with. Another common consideration is security.
Which Language Is Most Secure?
If you want to get a flame war started on a developer or webmaster forum, ask the members which programming language is the most secure. Members will pipe in with their personal favorite and defend it to the death against others with their own personal favorites. No consensus will be reached and it will devolve into unproductive arguing and at the end of the day, you won’t have an answer.
An Objective Answer
There is a way to reach some type of objective conclusion but it has nothing to do with asking on forums. WhiteHat Security just released its 2014 report on programming languages where it performed vulnerability assessments on more than 30,000 of the sites it manages that use .NET, Java, ASP, PHP, Cold Fusion and Perl for their programming.
The report takes an objective look at programming languages and there are no emotions involved. So, what programming languages are the most secure according to the report? It found that the security risks vary little between languages.
What This Means for Developers
First of all, there is no Holy Grail of programming languages that is more secure than any others. Believing your language is secure can lull you into a false sense of security. If you think that the programming language you’re using is secure, this may lead you to take shortcuts that can result in vulnerabilities.
For the same reason (the false sense of security), create a sturdy software architecture and provide continued vulnerability project management. Ultimately it’s not the programming language’s fault but your own if there are weaknesses. Security isn’t in the programming language; it’s in the developer’s hands.
Other Study Results
There were a few other interesting finds in the study by WhiteHat. It found that the most widely used languages were .NET (28.1%), Java (24.9%) and ASP (15.9%). The study found that the most widely used languages had the most vulnerabilities. But this should be no surprise since the most used are also the most attacked.
Most gaming sites use PHP (about 20%) and about half of all banking and financial-related sites used Java. Nearly all of the remaining banking sites were written in .NET.
Finally, the study found a shockingly high number of vulnerabilities in the sites it studied and reported extremely long lengths of time between the reporting of a vulnerability and its solution. The numbers vary by language, but they are all higher than they should be.