What programming languages ​​are least secure?

A review from WhiteSource showed which programming languages ​​have the biggest security holes. The winner of the anti-rating is C. But this is only the beginning of the story.

Technologies in general are stuffed with security bugs. At a low level, these are errors in the gland. So it was with the vulnerability of Intel and Specter errors. Slightly higher are the security holes in programming languages. And there are a lot of them!

Recently, an open-source security company, WhiteSource, has conducted vulnerability research in seven of the most common programming languages ​​in the last ten years. The company used its language security database to detect errors. It contains open source vulnerabilities from several sources, such as the National Vulnerability Database (NVD), security instructions, GitHub `a trackers and open source projects.
')
The company has identified the following languages: C, Java, JavaScript, Python, Ruby, PHP and C ++. And this is not surprising. Like what language has the most security errors. With a large margin, this is C. More than 50% of the detected vulnerabilities were in it.

As Kees "Case" Cook, Keis's "Case" Cook, Google’s Linux kernel security engineer at Google recently noted: “C is an improved assembler. Almost machine code. In addition, “C is carrying troublesome baggage, unspecified behavior, and other weaknesses that lead to security gaps and infrastructure vulnerabilities.”

However, WhiteSource argues that “one cannot say that C is less secure than other languages. A large number of open source C vulnerabilities can be attributed to a number of factors. For a start, C has been used longer than other languages ​​we have explored. It has the largest amount of written code. It is also one of the languages ​​behind such important infrastructures as OpenSSL and the Linux kernel. This combination of volume and center position explains a large number of known open-source vulnerabilities. ”

In WhiteSource captured the essence. But despite decades of programming and dealing with C, there are indeed ways in this language to make terrible security mistakes too easy. For example, in C there are a large number of examples of uncertain behavior, which opens up opportunities for all kinds of trouble.

At the same time, C ++ “became famous” for vulnerabilities of the highest degree of danger over the past five years. Buffer errors that have tormented C for a long time are often detected in C ++.


The numbers do not reflect the whole picture, if we talk about which language is the most or least protected.
(WhiteSource Image)

However, JavaScript is probably the most popular language. And the only one that showed "continuous increase in the number of vulnerabilities over the past 10 years."

WhiteSource emphasizes that before you mock JavaScript, you should be aware that these results are deceptive. Most of the Common Weakness Enumeration in JavaScript consists of exits from the designated directory and holes in the crypto-protection of JavaScript packages that are barely used and supported.

Why then are these and other language problems in plain sight? New automated programs, such as the Source Code Analysis Tools, reveal vulnerabilities that would otherwise be overlooked.

The only language that has shown itself well with regard to security holes is (drum roll!) - Python. Yes, yes, good old often made fun of Python.

Almost all languages ​​contribute to the General Vulnerability List. Two errors from the list were in the lead and were presented in 70% of cases: Cross-site scripting (XSS), also known as CWE-79 and Insufficient input data verification (CWE-20).

Other common errors include: Leak / Information Disclosure (CWE-200), Going Over the Limits of the Assigned Directory (CWE-22) and CWE-264 - Permissions, Privileges, and Access Controls. The latter has recently been supplanted by its more specific and close relative - Improper access control (CWE-284).

But is Xi really the worst and is Python the best? WhiteSource believes that this is too simple a conclusion: “Although the game“ My programming language is safer than yours ”is definitely a fun way to spend time ... the answer does not seem to help you create more innovative or protected software.”

Conversely, you should spend more time “staying at the forefront of open source vulnerability knowledge, understanding the strengths and weaknesses of the programming language that you and your team use”.

Ultimately, security comes down not to programming languages, but to how you use them.

→ ACTION: 40% discount on IaaS for developers.

Steven J. Vaughan-Nichols for Linux and Open Source

Original article