There’s no need to overthink the notion of which is the most secure programming language. There isn’t one, really, and developers should instead focus on how to write the most secure code possible in their language of choice.
This was the conclusion of Tsaela Pinto, head of the knowledge and research group at software-security firm WhiteSource, which recently released a report about security vulnerabilities in different languages.
“No one will choose, or should choose, a language based on security or based on our findings. You will choose based on what you need from your software. When it comes to open-source security, you need to understand the unique challenges with each language.”
Among the WhiteSource findings: The C programming language accounts for 47% of all open-source vulnerabilities publicly disclosed in the past decade, with the largest share of vulnerabilities for 2018 occurring in the code for the Linux operating system, the network protocol scanner Wireshark, and the ImageMagick graphics suite.
That data might lead some to conclude it’s best to avoid using C or Linux for future development. But such a decision would be rash, Pinto said. “The more popular a project is, the more vulnerabilities are reported for it. Since you have a larger community and more people using the code, they can find more vulnerabilities.” (And regardless of the language you use to create your application, you’ll still need a top-rated application security testing tool to help root out vulnerabilities).
Bottom line: Don’t panic. Here are four ways to improve code security no matter what language you lose.
1. Language choice is essentially security-neutral
Developers should choose their programming language and framework based on the needs of the project and their company. While some programming languages have security-oriented features such as sandboxing, garbage collection, and type casting—all found in Java, for example—knowledgeable coders can create secure code in most modern languages.
The best way to produce the most secure code is to use an environment that suggests secure patterns and reinforces security best practices through notifications in the environment, said Derek Weeks, vice president and DevOps advocate at Sonatype
“If you can get developers the security information they need in the environments they are building the apps in, then that helps them adopt secure coding practices. When I’m using Word, I do not need to be a spelling expert. For the same reason, every developer should not have to be an expert in security.”
2. Educate yourself on secure coding
Every programming language has its vagaries and foibles, and experienced programmers should know the general design patterns to avoid, and the functions that produce vulnerabilities.
In its study, WhiteSource found that buffer errors—identified under the Common Weakness Enumeration (CWE) framework as CWE-119—were the top class of vulnerabilities for code created in C and C++.
Cross-site scripting, CWE-79, was the most common class of vulnerability for web applications written in PHP and Ruby, while Python programs most often encountered input validation issues, CWE-20.
Maya Rotenberg, vice president of marketing for WhiteSource, said awareness was key.
“What we do see is that there are different challenges for each language. So developers need to understand the strengths and weaknesses of their chosen language so they understand the challenges.”