Which Programming Language Has The Most Security Vulnerabilities?

A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Re:Not the programming language

[hcs_$reboot]

Of course the programmer creates security holes by how they use the language. But in PHP (more the case in older versions) some "features" gives a sense of security while they actually don't. 'addslashes()' vs 'mysql_real_escape_...' for instance ; 'strpos' that returns 'false' if not found (instead of -1) so in a 'if' the programmer might misses a position at 0... Local functions are actually not local... etc... etc... All of that is Ok when you're used to the language, but they're just counter-intuitive traps that even a good programmer may fall into at the beginning.

Re:Not the programming language

[ShanghaiBill]

PHP has more than a dozen different ways to connect to a database. PHP has a long history of glomming on new APIs, but never deprecating the old, even when shockingly insecure. This is especially bad for PHP because most of PHP's user base are low IQ Wordpress extension hackers who are not qualified to be making security decisions on their own.