Top languages every application security pro should know

By 2022, there will be a shortfall of an estimated 1.8 million security professionals worldwide, with an acute scarcity of the technical professionals needed for secure software development, according to the 2017 Global Information Security Workforce Study.

For many people interested in breaking into security, the shortage could be an opportunity. Some 87% of cybersecurity professionals started in a different career, with 30% coming from outside of IT, according to the biennial study.

While security professionals all need to learn a common foundation of security principles, the specific technologies—including programming languages—that each needs to understand can be very different. Jeff Williams, co-founder and CTO for Contrast Security, said it can be difficult to keep up with changes in the software industry and the move to agile and DevOps.

"It's a crazy hard job to be really good at, because there are so many different technologies out there. So you need to get good at learning new technologies and applying the principals of security."
Jeff Williams

 

Here are the top programming languages and technologies application security pros should focus on.

State of Security Operations 2017

JavaScript rules the roost

JavaScript is the most popular programming language, with 62.5% of developers using it, according to the 2017 Stack Overflow Developer Survey. This was unsurprising, since 72% of the survey's respondents identified themselves as web developers, JavaScript's strength.

The popularity of JavaScript means that application security professionals need to focus on frameworks based on the language, said Keith Hoodlet, trust and security engineer for crowdsource vulnerability research firm Bugcrowd. When he presents bug-finding methods to application security testers during his training talks, for example, he always recommends that they incorporate Node.js into their lab environments.

"Node.js underpins everything you are seeing out there in terms of the JavaScript renaissance... and it is growing—everything is building on top of it."
Keith Hoodlet

Node.js and AngularJS were the top two frameworks used by developers, with more than 47% and 44% of developers using the respective technologies, according to the Stack Overflow survey.

While PHP-based web application frameworks such as Laravel and CodeIgniter have a significant following, PHP lags significantly behind JavaScript in popularity. Only 28% of developers are using the language, and only 14,700 job descriptions on Indeed.com list it as a requirement. JavaScript was 2.5 times as popular among employers.

Ruby, the language powering the Ruby on Rails framework, is popular among a certain subset of web application developers. It's used by fewer than 10% of developers, even though Ruby has consistently been among the top 10 programming languages over the past five years. In addition, the popular Metasploit Framework uses Ruby for its interactive shell, making it a staple among penetration testers.

Focus on the database and SQL

While not a programming language per se, the language of relational databases—Structured Query Language, or SQL—was the second-most popular language listed in the Stack Overflow survey. Around 51% of developers said they used it in their jobs. Among employers, SQL is the top required programming language, with more than 99,000 job listings including the language.

With each language, you are using different drivers to connect to the database, and you have to understand how they are handling queries, said Williams.

"While it's different for each language, the common factor is that SQL injection is possible in all those environments."
—Williams

Internal software focuses on Java and C#

Among enterprises, both Java and C# are popular languages that have long ruled because they are the programming foundations for two of the historically most popular business application frameworks: Java Enterprise Edition and .NET Core.

However, times have changed. Now, two frameworks based on the open-source Spring stack—Spring MVC and Spring Boot—are most popular among Java developers. Some 43% and 29% of developers use the respective frameworks, according to the 2016 Java Tools and Technologies Landscape Report.

.NET Core continues to be popular within enterprises, however. A third of developers use the framework, according to Stack Overflow's survey. Almost 40% of developers use Java, and 34% use C#, according to the survey.

For day-to-day work, Python

Python, originally a scripting language, is increasingly used as a full-fledged programming and data-analysis language. It's also regularly used to automate security tasks, malware, and cryptographic analysis. About 32% of developers use the language regularly, according to the Stack Overflow survey.

Derek Weeks, vice president and DevOps advocate at Sonatype, said that while there was less adoption by volume and number of Python by developers, the growth rate was still really high. Python is also used for writing exploits, because several types of more traditional code can be inserted into a Python program.

Traditional programming languages for exploits

Learning more traditional languages such C and C++ can help the most technical application security professionals create exploits to demonstrate attack techniques to other developers. About one in five developers uses both of the languages, according to the Stack Overflow survey, while C++ was the fifth-most mentioned language in job descriptions, and C was the seventh-most mentioned.

For times when security professionals want to directly code to hardware, assembly language is important. Only 5% of developers use any form of assembly language, but it can be extremely useful to create exploit code.

Test environments require containers

Outside of frameworks, application security professionals should learn about the DevOps pipeline and common infrastructure. In particular, the ability to create and deploy containers can be very important. While virtual machines have traditionally been the most popular way to run security test environments, an increasing number of security experts are turning to containers.

When Bugcrowd's Hoodlet teaches developers and security professionals about penetration testing and bug finding, for example, containers are the foundation of his platform.

How to stay up to date

Application security and security operations professionals need to stay current with their companies' development platforms. Just as developers should be pressed to learn security principles, application security professionals need to know the ins and outs of the development pipeline.

Keeping up with the state of the art in their chosen development environments and languages can be a problem. Among other issues, books written on a topic can quickly become outdated, Hoodlet said.

"Even if we go back to the Web Application Hacker's Handbook—that is 11 years old," he explained. Also, the book's examples rely on applications that are "nowhere near as dynamic" as today's apps, he added. 

To establish practical security skills, developers and security professionals should look to demonstrations of exploits against their chosen development platforms. Hitting YouTube can be a good idea, especially if you find well-known security professionals there who are focused on the type of work you would like to do.

Whichever framework you pick, and whichever languages you learn, application security professionals will have their work cut out for them, said Contrast's Williams. Unfortunately, most companies will not pay for developers becoming more facile in security, he said.

Out of the 20 million or so developers worldwide, only about 5,000 are being trained in security principles and technologies, he said. 

"At most, companies will pay for only a three-day training course in security, because they want their developers writing code."
—Williams

State of Security Operations 2017
Topics: Security