There's no need to overthink the notion of which is the most secure programming language. There isn't one, really, and developers should instead focus on how to write the most secure code possible in their language of choice.
This was the conclusion of Tsaela Pinto, head of the knowledge and research group at software-security firm WhiteSource, which recently released a report about security vulnerabilities in different languages.
"No one will choose, or should choose, a language based on security or based on our findings. You will choose based on what you need from your software. When it comes to open-source security, you need to understand the unique challenges with each language."
—Tsaela Pinto
Among the WhiteSource findings: The C programming language accounts for 47% of all open-source vulnerabilities publicly disclosed in the past decade, with the largest share of vulnerabilities for 2018 occurring in the code for the Linux operating system, the network protocol scanner Wireshark, and the ImageMagick graphics suite.
That data might lead some to conclude it's best to avoid using C or Linux for future development. But such a decision would be rash, Pinto said. "The more popular a project is, the more vulnerabilities are reported for it. Since you have a larger community and more people using the code, they can find more vulnerabilities." (And regardless of the language you use to create your application, you'll still need a top-rated application security testing tool to help root out vulnerabilities).
Bottom line: Don't panic. Here are four ways to improve code security no matter what language you lose.
1. Language choice is essentially security-neutral
Developers should choose their programming language and framework based on the needs of the project and their company. While some programming languages have security-oriented features such as sandboxing, garbage collection, and type casting—all found in Java, for example—knowledgeable coders can create secure code in most modern languages.
The best way to produce the most secure code is to use an environment that suggests secure patterns and reinforces security best practices through notifications in the environment, said Derek Weeks, vice president and DevOps advocate at Sonatype
"If you can get developers the security information they need in the environments they are building the apps in, then that helps them adopt secure coding practices. When I'm using Word, I do not need to be a spelling expert. For the same reason, every developer should not have to be an expert in security."
—Derek Weeks
2. Educate yourself on secure coding
Every programming language has its vagaries and foibles, and experienced programmers should know the general design patterns to avoid, and the functions that produce vulnerabilities.
In its study, WhiteSource found that buffer errors—identified under the Common Weakness Enumeration (CWE) framework as CWE-119—were the top class of vulnerabilities for code created in C and C++.
Cross-site scripting, CWE-79, was the most common class of vulnerability for web applications written in PHP and Ruby, while Python programs most often encountered input validation issues, CWE-20.
Maya Rotenberg, vice president of marketing for WhiteSource, said awareness was key.
"What we do see is that there are different challenges for each language. So developers need to understand the strengths and weaknesses of their chosen language so they understand the challenges."
—Maya Rotenberg
But there are differences among languages. JavaScript developers, for example, often do not assign flaws the standard software vulnerability identifier, known as the Common Vulnerability Enumeration (CVE). In fact, 30% of JavaScript vulnerabilities did not have a CVE and therefore did not appear in the National Vulnerability Database, which is the US government's collection of software flaws.
3. Use available tools
When integrated into the development lifecycle, code scanning tools can help developers catch vulnerabilities caused by unfamiliarity with the weaknesses of the chosen programming language.
In its 2018 State of Software Security report, Veracode found that increasing the number of vulnerability scans led to flaws being closed much more quickly. Companies that follow the cadence of DevSecOps and conduct daily scans—more than 300 per year—had the most significant impact, the company found.
Even free tools can help. Tools are readily available for scanning code on GitHub to determine if any open-source packages included in the code have vulnerabilities.
Regularly updating code packages also helps secure the final software product, said Sonatype's Weeks.
"If you use the latest components, those have fewer known vulnerabilities, so using the latest versions makes a a lot of sense. There are very specific free things that you can do to improve your security hygiene."
—Derek Weeks
[ Also see: How to deliver security as code: 11 tips to get started ]
4. Automate to make security simple
Finally, developers should automate their process to make security best practices easier to adopt. The goal is to prompt developers to fix flaws during the natural flow of development, rather than conduct security scans only at the end of the process.
In its 2018 State of the Software Supply Chain report, Sonatype found that the most mature DevOps practitioners increased their investment in automation by 15%, with 57% of companies conducting automated application security scans throughout the development process.
Companies need to help their developers speed up the process of coding software, said WhiteSource's Pinto. In addition to automated scans, companies should also use issue-tracking systems, she said.
"The worst thing you can do is flood your programmers with Jira tickets. If I get an alert for security, I should also get a fix, and my system should prioritize them."
—Tsaela Pinto
No top language
For over a decade, programmers and developers have asked the seemingly simple question: Which programming language results in the the most secure code? The perfect programming language would both be feature-rich and elegant, produce efficient and yet secure code.
To date, a variety of analyses have failed to pinpoint that perfect language. Different security firms have come up with different metrics of language security. In 2010, for example, web-application security firm WhiteHat Security looked at sites built with different frameworks—and written in different languages—to attempt to determine which web programming languages are most secure.
WhiteHat focused on a few different metrics, including the number of vulnerabilities per input, the number of websites having at least one vulnerability, and the number of serious unpatched vulnerabilities. The company collected data from nearly 1,700 assessment of corporate web sites, including those built with Microsoft's ASP Classic and .NET frameworks, Adobe's Cold Fusion, Apache Struts, Java Server Pages, PHP, and Perl.
[ Also see: 32 application security stats that matter ]
In the end, the company could not definitively point to a platform or language as being the most secure.
Determining the most appropriate metric for the security of a programming language has proven difficult. In its 2018 State of Software Security report, Veracode measured the time that developers took to patch their code for each programming language. Applications written in Python, which accounted for only 1% of the programs tested by Veracode, had defects fixed most quickly. Android and JavaScript were, respectively, the second and third most quickly patched.
On the other end, applications written in PHP had vulnerabilities that were open the longest. Programs written in iOS and Java were, respectively, the second and third most slowly patched code bases.
Which is all to say that the security-perfect open-source programming language is as elusive as spotting the Loch Ness Monster or a unicorn. Spend your time, instead, on making whatever language you do choose the best it can be by following the guidelines above.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
