Slashdot Mirror
The Security of Popular Programming Languages
An anonymous reader writes "Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done. How secure the language might be is simply an afterthought, which is usually too late. A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications."
I wonder how Ada 2012 would do in this test, although I don't know of any websites that use this language for a backend.
Who exactly is going to volunteer to implement a major system in a combination of Perl and ColdFusion?
Captcha: jokers
where the hell is it on the list?!
-db
Here we go again with another subtle attack of C/C++ in wake of the recent HeartBleed.
Let's just keep pushing the idea now despite every other language for the most part being implemented in C/C++.....
C++11 is awesome and has brought it back to modern day relevancy. I'm pushing C++11 all over my projects and teams.
I've never read so many contradictions in one article before!
From the article: "To lay the foundation for the research, the team first examined the volume of languages in the field, and found, unsurprisingly, that .Net, Java and ASP are the most widely used programming languages at 28.1%, 25% and 16% respectively. Legacy programming languages that have been around for decades, PHP (11%), ColdFusion (6%), and Perl (3%) rounded out the remaining field."
How did they determine the languages? This certainly differs from TIOBE's methodology (based on Google searches). The "unsurprisingly" seems suspect as well; I feel some of the selections *are* somewhat surprising.
Do they mean Classic ASP? They list .NET separately so I don't think they mean ASP.NET, but they also don't include ASP in their list of "legacy" languages. I also seriously doubt 16% of companies are still using Classic ASP.
ASP isn't even a language, it's a framework. You can write a Classic ASP app in vbscript or javascript. You can write ASP.NET in any .NET supported language. Then there is ASP.NET MVC.
If they can't get their list of tested "languages" straight, I doubt the rest of the article.
I'm not even sure what the article meant by ASP vs .NET ? Surely they aren't talking classic ASP? I doubt anybody is 'starting new projects in classic ASP -- so what is ASP? and how is it not .NET ?
The rest of the article doesn't make a lot of sense to me either.
It may be cliche, but how secure a language is depends on who is using it. PHP is very accessible, and used by a lot of newbies, so "in the field" there turns out to be a lot of vulnerabilities found. However, by following some relatively simple guidelines, code can be made pretty secure. Most of the problems in PHP code are either due to SQL injection, which can easily be avoided by using parameterized queries, or from turning on options that are known to be insecure, like register_globals. C on the other hand would only be used by a small number of highly trained individuals, at least for web applications, so it's less likely to experience problems in the wild, but due to buffer overflows and other memory management problems, it's much easier to shoot yourself in the foot without realizing it.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
WOOT
You have to build security into a language from the get-go. It can't be an afterthought.
If you're comparing mitigation rates, it just means you've failed already.
One bug that allows silent remote code execution on the WAN side and another bug that is a privilege escalation possibility on the LAN can not be treated as one bug each, right? This is not limited to just security vulnerabilities alone. Many software company top managers insist on looking at bug counts, sometimes sorted into 5 priority/severity levels or so.
It gets worse in the planning and progress monitoring. They use fancy tools like rallydev.com or something, but they allow each team to define its own story points. The Bangalore team uses 1 story point = 1 engineer week. The Boston team uses 1 story point = 1 engineer day. The Bangkok team uses engineer hour. And the top management gets the report, "This SAGA feature story was estimated to take 3264 story points, and it is 2376 points complete". Complete b.s. that is.
We pay ridiculously high salaries for the top management, and instead of expecting them to put in the time, energy and effort commensurate with that kind of pay, to make valuable judgement, hard decisions, step on people's toes, tell it like it is, and paint an accurate picture of the state of the company, we let them shirk their responsibilities.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yes, of course the security of your language (as well as the rest of your environment) matters. But what's way more important is what kind of devs you have. No matter how secure anything is, if the person supposed to use it does not know about its security pitfalls, do you think that's increasing the security?
Security is by definition the minimum of the security your technology offers and the security your personnel offers. The minimum. Not the average. The same applies to OSs, too. You can have the most secure OS in the world, if you lack the admin to secure it, you're no better off than with an OS that has shabby security itself.
Your security is way more dependent on the personnel you have, and the ability and expertise they have with the different technologies. Simple scenario: Take an admin that knows OS-A like the back of his hand and can somehow kinda-sorta get OS-B to run. OS-A has a few security holes (that the admin all knows about, including their workarounds) while OS-B is absolutely tight but our admin doesn't know it too well.
Which one do you think will, administered by said admin, be more secure?
It's the same with programming languages. C does have its security issues, but a good C programmer knows why he should not put input on the stack and why he should include sanity checks on every input, especially if is of variable length. Some other language might not have that possibly dangerous pit, but there are very, very few languages (outside those fields where security matters and money doesn't) that have none.
What would you prefer your devs to develop in? A language they know, including all its slings and errors, or a potentially more secure one the pits of which your devs don't know?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
These aren't really "programming languages", they're a set of "web scripting languages".
Some of them may be "programming languages", too.
But damn, talk about delusions of grandeur.
In the wake of Heartbleed, one might think that this would be talking about array bounds checking or buffer overflow mitigation. No. It is talking about web site frameworks.
examined the vulnerability assessment results of the more than 30,000 websites
First of all: this is not measuring the security of the programming language. This is measuring the security of the OS infrastructure and toolchains. Notice C/C++ is not on the list, since it is hardly ever used for creating web sites.
There was no significant difference between languages in examining the highest averages of vulnerabilities per slot.
What the heck is a slot?
Any summary where Perl scores the best must be deeply questioned. I doubt this is an apples-to-apples comparison. Surely these Perl sites are not doing nearly as much as the sites written in other languages.
If the language specification doesn't expressly say what happen when things "outside the design" happen, then different implementations may work differently.
For example:
If the language design spec says
"If an array index is out of bounds, exit the program and return a value of ABEND_ARRAY_BOUNDS_VIOLATION to the calling program,"
that may seem very specific, but if how to "exit the program and return a value of ABEND_ARRAY_BOUNDS_VIOLATION to the calling program," isn't specified by someone (usually the operating system), then it may not be specific enough. if different operating systems specify how to do this differently, then expected "under the hood" behavior will not necessarily be consistent across operating systems.
For example, does "exit the program" mean simply returning control to the caller, or does it mean explicitly returning any resources that were previously granted to the program by the operating system first? Or is that optional? If it's optional as far as the operating system is concerned, does the language provide a compile- or run-time switch to force such a cleanup? Does returning memory to the operating system guarantee that the OS will sanitize the memory, and if not, does the language guarantee it? If the language doesn't guarantee it, does the language provide a compile- or runtime switch so the program will sanitize memory prior to returning it to the operating system?
These differences in language implementations and even differences in how operating systems handle the starting and stopping of processes can lead to differences in what the code actually does. Usually these differences are unimportant but sometimes they are very important.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Programming languages. Vulnerabilities of programming languages (read: sub-optimal implementation of the language).
Then you read "CSS", as in Cross Side Scripting ? And SQL injections ? C'mon...
This is completely unrelated to the programming language. TFA is completely absurd, despite stating that these are "(...)vulnerability assessment results of the more than 30,000 websites to measure how the underlying programming languages and frameworks perform in the field"
We all know that most web development it's recently done with .net. Java is also widely used, so as ASP. So, the so-called "vulnerabilities" are obviously linked to the most-used platforms.
Nothing new here for you to read, move along.
FLAME ON! PURGE THE INFIDELS IN THE HOLY FIRE!
But before we really get into it, this isn't really a measurement of the language somuchas how people use the language. For example: while VB6 was an abomination, VB.NET really isn't all that bad. But since the people who use VB.NET are the amateur noobs who make stupid mistakes. Hey, we all started somewhere. But it means I really wouldn't trust a project that's written in VB.NET for certain tasks.
These are sociological factors. Politics. Culture. And they matter, but they're not technical aspects. The size of the community. The maturing of the developers. How open the overlord megacorp is to people making tools that interface with their toys. How many developers got the hype-bug and wrote libraries for said language. How good those developers were at their job. It all matters, but it's not an aspect of the language itself.
Any Turing complete language CAN do the job. You've got to avoid Turing tarpits, but mostly the right tool for the job is a matter of fashion.
Why the flames? Why is this something that causes so much strife?
Because we all want to bet on the right horse, and who wins is largely a popularity contest. It really DOES matter what the community does. You can't just go off into the woods and code away in TurboPascel and hope to have a lucrative career. It's an inverse tragedy of the commons. Using the tools of your neighbor SHARPENS said tools. So everyone wants you to use their tools. Because their tools are the best.
And so the flame wars rage on.
They shouldn't be looking at the number of bugs in the implementation of the language. They should be looking at the bugginess (or not) of the code written in it. That's the important thing.
that PHP was more secure than Java
JAVA is Secure, Java is also fast. But Java Interpreters/compilers are not written in Java.
So we need to have a java interpreter, running on a java interpreter, written in java, recursively.
Just think how fast and secure that will be!
Who needs a 1 second boot when u have a 3 month boot time, good luck exploiting that!
Security by wearing down your opponent!
Ur/Web is an interesting language with a type system designed to reject vulnerable web programs as ill-typed. The compiler itself is written in a safe language — Standard ML, and there is a proof of language correctness included.
HAL 7000, fewer features than the HAL 9000, but just as homicidal!
The security level of a piece of code with good security is 95% coder competence and 5% language, i.e. language is irrelevant. One thing though is that language can add to the security problems if it has insecure tun-rime implementation errors.
One reason most security-critical software is written in C is that there, the coder gets full control. A good coder with skills in secure coding will do fine with C. A coder that does not understand software security will to badly in any language, but in C he/she might not even produce anything that works, which will be an advantage. Also in C, it will be far more obvious if somebody is clueless, which makes review easier.
But "language is important for code security" is even more wrong than "language is important for code reliability". Language is important for code performance though, but only in the sense that it can kill it. Good language choice can also make a good coder more productive (a bad coder has negative productivity, so it hardly matters...). This nonsense about the language being capable of fixing problems with the people using is comes from "management" types that are unable to handle people that are individuals. These utterly incompetent "managers" can be found in many large companies and they believe that in IT, individuals do not matter. Typically these "managers" are not engineers and have no clue what a good engineer can do but a bad one cannot. They also believe that engineering productivity can be measured in hours spent or that all coders are equal and just implement specifications, so outsourcing is a good idea.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"The most popular programming languages"? Really? Where are Javascript, Ruby, Python, the Cs? On the other hand, is anyone still using ColdFusion? (Which is, or used to be, not even a language but a framework.)
Not a single security exploit reported in over 50 years.
"To those who are overly cautious, everything is impossible. "
http://www.crosstalkonline.org...
And here's my $.02: C syntax has been actively harmful in this regard. It's too easy to make a typo that compiles, or to introduce a statement/expression that has a different result than you expect (e.g. the Apple "extra break statement" bug.)
DOH! I *knew* I should've read the freakin' article before writing that.
Obviously, the article is talking about scripting languages, languages that (typically) run inside of a hopefully-OS-independent-behavior runtime rather than a traditional compiled language that doesn't contain a lot of "runtime" between the compiled code and the operating system.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I don't understand this:
Perl remediates 85% of all Cross-Site Scripting vulnerabilities, the highest rate among all languages but only 18% of SQL Injection.
There is no Perl language support to remediate cross site scripting. That's all done by the developer and/or framework he's using, so I don't see how it's useful to say that Perl remediates 85% of XSS vulnerabilities when the language itself has no idea what XSS is or how to remediate it.
I'm also having trouble reconciling this statement:
Perl has an observed rate of 67% Cross-Site Scripting vulnerabilities, over 17% more than any other language.
So Perl re mediates 85% of XSS vulnerabilities -- the highest rate of any language, yet it has a 17% higher rate of XSS vulnerabilities?
This study would be slightly more useful if they gave details on web frameworks instead of just languages.
I'm surprised Ruby and Python didn't make the list, I figured that either one of those languages would be more popular than Perl for web development today
I can't figure out how I would use this to make make a real-world decision. Just picking the "most secure" language overlooks so many other tradeoffs that I just can't see it as a valid approach, especially when the article ends with a call for more testing, not a call to select superior languages.
This is a non-finding.
Real-time, embedded safety-critical software needs to be written in a well-specified language. It needs to be compiled and linked in well-validated tools (validated against the well-specified standard). It needs to be verified while executing on a target that was subject to the tools' validation.
The Ada language has too much conceptual baggage for compiler vendors and application developers to handle.. So, industry uses C, and increasingly C++, to get the work done. MISRA rules attempt to impose sanity, but MISRA rather expresses contempt for these languages. MISRA does not trust the compiler vendors nor the application developers, and the problem starts with the language specifications themselves. Ultimately, MISRA is a shame because it does not provide a means to validate the tools (neither the compilers nor the rules checkers).
We need a new language, one defined by subject matter experts, one that the industry can and will embrace. That language shall be called, "Blaz" (unwavering protector).
A pretty comprehensive study was done that showed regardless of the language selected, the programs written by developers with the most experience in that language were the the ones with the least security bugs, regardless of traits of the language like attack surfaces or complexity.
It's short and sweet. A developer's experience with the specific language or framework an application is written in is a better indicator of application security than the language or framework an application is written in.
SQL and amalgamations of languages (e.g., JavaScript generated by PHP) not on the list. XSS attacks involve such "mutt" software.
IMHO, the more code the more opportunities to exploit things. Terse languages to the rescue? Write it all in Haskell, Lisp or something. You'll attract talented developers and the attackers will be like... "Oh crap, we have to analyze that???".
No silver bullets of course. Something has to be able to read/write sensitive information at some point. Something has to determine under what conditions that occurs. It's human nature to make those conditions complicated to the point where vulnerabilities occur...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Was a new feature that was enabled by default. The heartbeat 'feature' should have been *DISABLED* by default. New features should always be disabled, and then you let the developer decide whether to enable it or not. And then *TEST* it! And *CODE REVIEW* it!
You are being MICROattacked, from various angles, in a SOFT manner.
The fact that the holes exist is what they're talking about.
People are still writing code vulnerable to SQL injection attacks?
"A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field"
How about designing a language that can't read/write past a previously allocated buffer in memory.
Do the work yourself and make your programs secure. C und ASM are Still the kings of the hill and always will be.
The headline sez it all!
Perl is more popular than Ruby and Python? ColdFusion is more popular than Ruby or Python? Seriously?
All but two of the languages had their first major release in the 1995 to 1996 time frame, according to Wikipedia. Of those released during that two-year period, two (PHP and ColdFusion) are "legacy" based on being "decades old", and two (ASP and Java) are "new".
Dot NET is "a language". Of course, that language is clearly J#, which means that really all those .NET statistics should be applied to Java, right?
ASP is different from .NET. Which it is--in one form. That ASP is not "legacy", despite being just as old as two of the three "legacy" languages, and despite being the only language studied which is actually deprecated upstream.
And the guy who ran the study was surprised to learn that older, more mature technologies were more secure. Well, "older". (Or "secure"--why the scare quotes were added in the article is a mystery.)
I think this study says more about WhiteHat Security than about any of the languages supposedly studied.
If you don't like C++ (and who does?) or C, what DO you suggest as a systems programming language?
Rule 1: If it runs under a VM, it's out
Rule 2: If it requires a garbage collector, it's out.
Rule 3: COBOL and FORTRAN are out too.
Security is not a matter of language but of design. Some languages might make that easier than others. But focusing on the language only is like saying: "Let's invent new shapes for our letters so we can write better books."
Rust
Use Rust. It's not at version 1.0 yet but it's promising. See some comments on Rust's benefits for security. And some blog posts by Andrew Ruef and Patrick Walton.
'nuff said!
what bash?
yes sure. just stay away from eval
I'm currently checking if other constructs from bash are prone to execution or information disclosure. Came across 'declare' which may have an issue.
Of course, SQL injections are possible, because SQL is not bash.
Atari rules... ermm... ruled.
its pretty much the case that programming languages in which it is harder to make bugs are also harder to make security problems. Because security problems are just a special case of bugs. So all the things we know about writing better languages are important for security. Unfortunately, language technology has always been under-appreciated. People will just use what is popular, which often times is just C or Java and so forth.
Yes, we mean ASP classic.
Small point but the data was the median not the mean. The metric should not be used to evaluate individual sites. The idea was to determine if there in a inherit difference between the different languages and how they are used in the real world. Are PHP and Java really much more insecure a programming language?
The paper says that a slot is basically the bounds on a site. You can think of them as the same but there are some small differences that do not really mean much here.