Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Top Programming Languages That Spawn the Most Security Bugs (softpedia.com)

Posted by Soulskill on from the prepared-to-not-be-surprised dept.

An anonymous reader writes: Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.

7 of 241 comments (clear)

  1. What's a "programming language"? by david.emery · · Score: 3, Interesting

    Are "iOS" or "Android" the same as "PHP" or "C++"? I didn't hand in my personal informatoin to get the full study, but the stuff shown on this story's link pegged my bs-meter. Also, I'd hope there's a discussion of 'number of occurrences,' finding 10 bugs, 8 of which are null pointer dereference, should be different from finding 10,000 bugs where 'only' 7,500 of them are null pointer dereference.

    And wouldn't it be even more useful to know which languages generate the least number of bugs, per line of code?

  2. Reason for this by xxxJonBoyxxx · · Score: 3, Interesting

    If this was from a dynamic scanning company, I would have suspected these results would occurred because that code often run in environments often configured to show web users raw error output, such as "your database call failed - here's what I tried so you can tune your SQL injection attempt appropriately."

    [rant] In general, I've found that the utility of "dynamic" (or pentesting) web scanners has dropped precipitously lately as web apps have pushed their presentation out to Javascript apps (making it easier to probe a finite set of web services with standard testing and fuzzing tools) and almost all new environments are set to display terse "got error - now fuck off" messages to end users (if not just a redirect back to the app's home page) if a probe generates an error (that would have generated useful output 10 years ago). [/rant]

      >> Ignoring the first two

    This is a horrible assumption to make. I remember I looked at bringing Veracode in house specifically because I had a multi-million line legacy web app written in "classic ASP" that powered several hundred million dollars of annual purchases.

  3. Re:Are all ten of them Java? by tompaulco · · Score: 5, Interesting

    Just wondering.

    Java is the 4th highest, with about 2% of the flaws found being Java. I'm really shocked that Java shows up higher on the list than Javascript. If ever there was a language where people copy and paste somebodiy's working code and try to mangle it to work for their own purposes with no understanding of the actual language or security thereof, it is Javascript.

    --
    If you are not allowed to question your government then the government has answered your question.
  4. Managed languages by johannesg · · Score: 3, Interesting

    So much, then, for managed languages. I thought managed pointers and garbage collection were supposed to free us from all those ills, but evidentally not.

    Shame that further down they perpetuate the myth of the C/C++ language. That language doesn't exist - it's either one or the other. In C you'd use raw memory pointers if you wanted to pass a buffer around, making it easy to access it beyond its boundaries. In C++ you'd pass a buffer object that knows its own size, and either dynamically resizes or at least throws an exception on an illegal access.

    Because C and C++ have such vastly different approach to the same problem I'd love to see C and C++ split out.

  5. Re:Are all ten of them Java? by Anonymous Coward · · Score: 2, Interesting

    The days of copying and pasting JavaScript and hoping that it works are long gone (perhaps 10 years).

  6. Re:Are all ten of them Java? by Z00L00K · · Score: 3, Interesting

    The report only concerns security bugs, not all bugs. Most security issues with JavaScript are likely to have been hammered out now.

    But JavaScript do fail from time to time on web pages, especially if there's a web page that do something that was permitted in an earlier version but not permitted any longer due to a security issue with that functionality. Another headache with JavaScript that most programmers today have rectified is browser differences.

    Some browsers have taken in functionality from competing browsers to ensure compatibility so some issues with JavaScript have been resolved that way as well.

    Java libraries - they are good, but also a curse since you can't ensure that you get everything right with the library functions in all cases. Experienced programmers may have their own library of JavaScript functions to use when they make their web stuff.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  7. Re:Are all ten of them Java? by neurojab · · Score: 2, Interesting

    >If ever there was a language where people copy and paste somebodiy's working code and try to mangle it to work for their own purposes with no understanding of the actual language or security thereof, it is Javascript.

    In the majority of web applications the client is given limited scope by the server. Clients can't be given full trust because anyone can create their own malicious client. Security bugs are therefore on the server. Today most javascript is still client side. Yes, node.js has been making inroads, but it is far from the most popular server side language. I predict that if node does eclipse java in popularity, it will also beat java in server side security bugs. Perhaps by a wide margin, since I've also seen a lot of client side programmers work on server code in node. If you're used to being on the untrusted side of things and then suddenly have to make secure code, you're bound to make mistakes.