Which Programming Language Has The Most Security Vulnerabilities?

A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Re:the problem is engineering competency relative

[theweatherelectric]

its not hard to write secure c

And yet 70 percent of all security bugs are memory safety issues.

If only there was some kind of language which was designed to reduce memory safety bugs.

Re:Not the programming language

[gweihir]

I have done stuff in both and I do not agree in the least. PHP is a dangerous mess. You need to understand its specific defects to code safely in it. Python is pretty well-designed but _not_ a language for beginners in OO concepts, functional coding, etc. It requires experience with the general concepts used, but not with the specific implementation in Python. As such, it does not violate the principle of least surprise.

Re:Not the programming language

I think you should try them again.

PHP is a nightmare.

Python is executable pseudocode which magically does what I want.

There's very little surprising behavior--the worst there was has been fixed by now: In Python 3, the value of 1/2 is not 0 anymore. In Python 2 it was, and in C. That was completely insane.

Re:Not the programming language

[gweihir]

Scope in Python is complex. However, it is absolutely nothing that will surprise anybody competent. Because if you have a variable twice, with different scope, anybody competent will read up how scope works before. Also, "accidentally" reversing an assignment is a code bug and nobody with the least bit of understanding would ever blame the language for the effects.