Slashdot Mirror

← Back to Stories (view on slashdot.org)

Choice of Programming Language Doesn't Matter For Security

Posted by Soulskill on from the obvious-things-your-boss-doesn't-understand dept.

An anonymous reader writes "The Security Ninja has written a blog post which discusses web programming languages and the fact that they are all insecure. It's based on a report from WhiteHat Security and aims to dispel the myth that some languages will guarantee that an application will be more or less secure than other languages. '... secure code is the product of a secure development process and real business commitment to deliver secure applications which includes developer education. The absence of these processes and business commitments will lead to web applications being developed insecurely regardless of the language being used.'"

8 of 192 comments (clear)

  1. I have an hypotheses by aBaldrich · · Score: 5, Insightful

    I think that in average programs written in haskell (exempli gratia) tend to be more secure because it takes a better programmer to write them than a quick and dirty VB application.

    --
    In soviet russia the government regulates the companies.
  2. Perl most secure by by+(1706743) · · Score: 5, Funny

    'Cause even if the source is available, the would-be attacker won't be able to understand it!

  3. Its not black & white by Anonymous Coward · · Score: 5, Insightful

    Anyone who says all programming languages are equally exploitable is a fool. Sure, secure coding practices and standards are the way to approach the issue- not language selection, but it is, for instance, impossible to overrun a buffer in interpreted byte code and executed native code. The fact that stack crashing doesn't exist in interpreted code alone demonstrates that languages (or their runtime environments that are inherent to a language) are not all equal in exploit-ability levels. To say they are all the same is simplifying things too much. Yes, all languages have their exploitable bad practices, but some have more than others.

    1. Re:Its not black & white by Fnkmaster · · Score: 5, Insightful

      Yeah, except this isn't a comparison by language. It's a comparison by platform technology. For example, JSP shows as one of the highest vulnerability ratios, whereas Struts (Apache's Java MVC framework) has just about the lowest vulnerability ratio (on par with ASPX).

      Clearly they are measuring *something* but it seems to have relatively little to do with languages themselves.

      If anything, it seems like web apps written in frameworks that don't actively discourage mixing code and presentation are more likely to have vulnerabilities, whereas frameworks that encourage separation more actively (and perhaps are newer frameworks) are less likely to have vulnerabilities. The worst two measured, Perl and JSP, are older technologies that date from the era before frameworks that enforced more MVC separation were common and before web app best practices really existed.

    2. Re:Its not black & white by dgatwood · · Score: 5, Insightful

      They made a statistical analysis of web languages. That's not generalizable to all programming languages as the Slashdot headline implies. All of these languages have several things in common:

      • Variable-length strings.
      • No truly fixed-size data structures or buffers.
      • No direct access to pointers.

      In short, all of these programming languages eliminate entire classes of potential exploits that other programming languages allow. Therefore, although these programming languages happen to be similar, that does not mean that programming language choice has no bearing on security. It just means that choice of programming language within a very narrow range of languages that are not a representative sample of programming languages as a whole has no bearing on security.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. Re:The Python Paradox by barzok · · Score: 5, Insightful

    Simply put, the kind of people who learn a language out of interest than out of wanting to get a job tend to be better programmers on average.

    People who do anything because it interests & fascinates them on a personal level do better than those who are only in it for the paycheck. Doesn't matter whether it's programming, auto repair, landscaping, or anything else.

  5. Re:Everybody hatin' on PHP by CastrTroy · · Score: 5, Insightful

    PHP really is that bad. Because they still haven't removed the cruft. If they were really serious about any kind of security, they would have gotten rid of magic quotes completely, as well as things like mysql_escape_string. Instead they left these gaping security holes in there, for the sake of compatibility. Meanwhile you have a bunch of cheap web hosts who turn things like magic quotes on by default, thinking it will solve all their customers' security problems, when really it just extends the problem by leading them down the wrong path. While they've added things (MySQLi/PDO for prepared statements, mysql_real_escape_string, and others) the amount of legacy stuff they left in there is amazing, and for a language with so many novices working with it, ends up being a real disaster.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  6. Re:It's a good point but... by dotgain · · Score: 5, Insightful

    For example, a buffer overrun in a desktop app (excel, photoshop, whatever) is not a security breach, it's just annoying.

    Bad choice of examples. That's what we were saying and thinking in 1998: IT to PHB: "Don't open any EXE files mailed to you, however Excel spreadsheets, Word docs etc, are fine".

    A exploitable buffer overrun in any application where malicious inputs exist is a security hole.