Which Programming Language Has The Most Security Vulnerabilities?

A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Not the programming language

[hcs_$reboot]

but the programmer that uses it.

Re:Not the programming language

[hcs_$reboot]

But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).

Re: Not the programming language

[hcs_$reboot]

You can juge a programmer by the code they provide, whatever the language.

Re:Not the programming language

[Narcocide]

It is only really the default configuration of older PHP versions that make it so much more practically insecure. In reality, JavaScript should be higher up on this list, because some of it's innate behaviors are so badly designed they cause vulnerabilities that can't be mitigated in any way other than simply not using it.

Re: Not the programming language

Real programmers use assembly language and write their own high level language with macros.

FTFY.

Re:Not the programming language

[gweihir]

but the programmer that uses it.

And that is the only aspect that matters. Anything else is a red herring or a minor issue. But too many people that think they are competent to voice their opinion on the matter cannot see that and hence the mess continues. Will probably take a few really large disasters to change anything here.

Re:Not the programming language

[gweihir]

But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).

No. The only thing PHP does is to make it easier for bad coders to create really simple to exploit vulnerabilities. Anybody competent will write code just as secure. It may take them longer because PHP is a really, really bad design that no good coders would use given a choice. (If you think different, then you are not a good coder. Sorry. It is completely clear and you are deluding yourself. PHP ignore fundamental principles of good engineering in many places.)

Re:Not the programming language

[Aighearach]

but the programmer that uses it.

Exactly. C is the hard parts. Lots of mistakes are made.

It opens whole markets.

Re:Not the programming language

[angel'o'sphere]

Most likely the libraries they use.

E.g. below one is nitpicking about PHP and he obviously does not know that PHP got greatly improved during the last ten years.

OTOH there plenty of mistakes you can make by simply configuring your server wrong, then the language does not really matter ...

Re:Not the programming language

[hcs_$reboot]

Of course the programmer creates security holes by how they use the language. But in PHP (more the case in older versions) some "features" gives a sense of security while they actually don't. 'addslashes()' vs 'mysql_real_escape_...' for instance ; 'strpos' that returns 'false' if not found (instead of -1) so in a 'if' the programmer might misses a position at 0... Local functions are actually not local... etc... etc... All of that is Ok when you're used to the language, but they're just counter-intuitive traps that even a good programmer may fall into at the beginning.

Re:Not the programming language

[Z00L00K]

Most script languages are written in C.

C is a good language for focused functionality where performance or detailed control is important like hardware drivers, but when you look at bread&butter code then there are actually better languages. The problem is that not all those languages are as portable as C to other environments or even between versions due to breaking backward compatibility.

A C program written in K&R style can still be compiled even if the compiler may moan quite a bit about obsolete constructs or with some relatively easy modifications. Meanwhile many other languages like PHP is severely breaking backwards compatibility between versions - something that's a headache for many when trying to upgrade their systems.

There are also tools to find programming mistakes, like Splint, Findbugs and many others. They add to the workload but will also make things more stable in the long run.

If you want languages with low inherent vulnerabilities you need to go for languages like Ada. But even that don't save you from bad overall designs where information hasn't been handled properly - like protection against SQL injection.

Re: Not the programming language

[Z00L00K]

C is an assembly macro language.

Re:Not the programming language

[ShanghaiBill]

PHP has more than a dozen different ways to connect to a database. PHP has a long history of glomming on new APIs, but never deprecating the old, even when shockingly insecure. This is especially bad for PHP because most of PHP's user base are low IQ Wordpress extension hackers who are not qualified to be making security decisions on their own.

Re:Not the programming language

[gweihir]

I agree. PHP has traps by surprising behavior. One of the corner-stones of secure coding is the Principle of Least Surprise and PHP violates it repeatedly. Still a good coder will find these and just not trust the language anymore and be extra careful. This makes coding slow and not fun and expensive, but it can be done. An average or worse coder (the majority of them) will just fall in the traps and create insecure code. However, an average or worse coder will still screw up more than acceptable in a well-designed language.

Re: Not the programming language

[phantomfive]

Good programmers write good code in every language. A bad programmer writes bad code in all of them.

Re:Not the programming language

[Sique]

If you think that a good coder has to avoid certain languages, I have news to you: Ed Post (1982) begs to differ.

[,,,] the determined Real Programmer can write FORTRAN programs in any language.

Ironically, this is an article why Real Programmers avoid Pascal.

Re: Not the programming language

[Sique]

Real Programmers use a butterfly.

Re:Not the programming language

[goose-incarnated]

I agree. PHP has traps by surprising behavior. One of the corner-stones of secure coding is the Principle of Least Surprise and PHP violates it repeatedly.

So does Python; hasn't hurt either of them popularity-wise.

Re:Not the programming language

[munch117]

We can fix that: Simply replace humanity with a different humanity that is capable of writing secure C code.

Or we can use memory-safe languages where possible.

I vote for the latter.

Re:Not the programming language

[dunkelfalke]

No true Scotsman would write insecure PHP code, right?

Re:Not the programming language

[dunkelfalke]

C used to be a good language for focused functionality where performance or detailed control is important, but that was long ago. Modern computers are very different to a PDP11, yet C more or less forces them into these constraints.

Re:Not the programming language

[gweihir]

Python is not nearly in the same class here.

Re:Not the programming language

[gweihir]

I agree that this is a strong component in this mess.

Re:Not the programming language

[gweihir]

What is the relation between your statement and what I wrote? Can you explain?

Re:Not the programming language

[K.+S.+Kyosuke]

It is only really the default configuration of older PHP versions that make it so much more practically insecure.

So the fact that PHP can introduce weird bugs due to surprising behavior of even basic operations is irrelevant for security now?

In reality, JavaScript should be higher up on this list, because some of it's innate behaviors are so badly designed they cause vulnerabilities that can't be mitigated in any way other than simply not using it.

And an example of that would be...what exactly?

Re:Not the programming language

[AmiMoJo]

The same is true of C programmers though, far too many of them don't understand the language and just hack stuff together to fulfil the contractual obligations and then disappear.

Contract work is a particular problems. There was a study recently, sorry I lost the link, where they put out contracts for a basic login page. Most of the developers didn't bother storing the password securely at first, then when asked managed to botch doing it. Contract work encourages minimum effort and throwing unsuitable libraries at problems, and often the person checking for completion doesn't understand the security issues.

Re: Not the programming language

[yo303]

But it is though.

Anyone proficient in assembly and C can "see" the assembly that the C code will make, as they write the C code. This is not true in C++ or FORTRAN or the others.

Re:Not the programming language

[Narcocide]

So the fact that PHP can introduce weird bugs due to surprising behavior of even basic operations is irrelevant for security now?

And an example of that would be...what exactly?

How about JavaScript making all variables references passed by Object?. How about ".prototype" at all?

Re:Not the programming language

[gweihir]

I have done stuff in both and I do not agree in the least. PHP is a dangerous mess. You need to understand its specific defects to code safely in it. Python is pretty well-designed but _not_ a language for beginners in OO concepts, functional coding, etc. It requires experience with the general concepts used, but not with the specific implementation in Python. As such, it does not violate the principle of least surprise.

Re:Not the programming language

[gweihir]

You need to read up on how that fallacy works. Here is a hint: It requires a disconnect between the group-characteristic and the excluded examples. That disconnect is missing in my statement and hence the fallacy does not apply.

Re:Not the programming language

[dunkelfalke]

Nah, that fallacy doesn't work that way. Besides, your statement, is, in fact, even worse, because it is also an example of circular logic.

Re: Not the programming language

[angel'o'sphere]

This is not true in C++ or FORTRAN or the others.
Yes, it is.
On the other hand, modern compilers make so much behind the scene that you *on modern hardware* hardly can say what is going on without actually looking at the assembly code. (Register renaming, operation reordering, parallel speculative execution etc.)

Re: Not the programming language

[orlanz]

Examples?

Re:Not the programming language

[muecksteiner]

Modern computers are very different to a PDP11, yet C more or less forces them into these constraints.

Care to elaborate on what part of modern C resembles a constraint found on the PDP11?

Re:Not the programming language

[Cmdln+Daco]

Wow. Fights over wether Javascript or PHP are better 'programming languages.'

Where do MS-DOS .BAT files rank in this hierarchy?

Re:Not the programming language

Care to explain?

Not a python programmer, but in any language I know, writing "x=y" instead of "y=x" results in silent data loss. The wrong variable is overwritten, loosing the data we wanted to copy into the other variable. And there is nothing the language/compiler/interpreter can do about that - either statement is valid, the compiler can't know we made a mistake unless one of the variables are read-only. Which usually isn't the case. And the language does not have a AI strong enough to guess what we wanted. If it had, it could write the program without us.

C, C++, assembly, pascal, scripting languages - they all fall for this. Garbage code in, garbage results out. Object orientation and read-only variables sometimes offer a little protection, but there is no help when both variables are local and writeable. Warnings about "assigning a value that never get used" catches a few of these, but often enough the value has been used so this trick cannot be relied on. (And the logic is too weak and won't catch it anyway if we're overwriting "x[i]" instead of just "x".)

Re: Not the programming language

[drewsup]

Its like the what dogs bite the most people scenario, yes Labradors are way up on the list, but only because theres so many of them compared to other breeds.

Re:Not the programming language

Really, buch of contractors on fiver did not store the password securely. I am shocked I tell you, shocked!

Re:Not the programming language

[Drethon]

The same is true of C programmers though, far too many of them don't understand the language and just hack stuff together to fulfil the contractual obligations and then disappear.

Contract work is a particular problems. There was a study recently, sorry I lost the link, where they put out contracts for a basic login page. Most of the developers didn't bother storing the password securely at first, then when asked managed to botch doing it. Contract work encourages minimum effort and throwing unsuitable libraries at problems, and often the person checking for completion doesn't understand the security issues.

I think you just described any project where the code base is to large to learn in the amount of time the average employee is provided to learn the code before being required to be productive... or any code base that is simply too large for any average employee to learn in full.

Re:Not the programming language

[ctilsie242]

I would say that everyone is right here. C, it is easy to make mistakes which cannot happen in Java or Python, like not watching where pointers are going, array out of bounds issues, and other stuff.

However, part of it is modern coding in general. The last several "Agile" places I worked at were in permanent sprints, and the job of the developers is to get a feature that marketing already sold to the customer into the product. It doesn't matter if it doesn't work, or is horrifically insecure. It is about making those deliverables in time. When one was made, marketing had two more waiting to be done, so it never ceased.

In most places, one can easily wind up having their job outsourced/offshored if they don't make deliverables. On the other hand, something horrifically insecure that causes every customer to have a backdoor to the world, the developer is insulated from that, through many layers of corporate bureaucracy, so even if there are lawsuits, the developer would likely feel no consequences.

tl;dr, blame the programmer, not the tools. However, some languages require more thought to program safely/securely than others.

Re: Not the programming language

[umghhh]

not all pilgrims here are enlightened tho.

Re: Not the programming language

[Drethon]

Good programmers write good code in every language. A bad programmer writes bad code in all of them.

Good programmers may not write good code in a language they don't understand yet. A great C# programmer could easily end up writing code with major memory holes in C because they don't understand the differences in memory management. A great Java programmer could end up making utter trash with sql because of the different ways of thinking about the languages.

Re:Not the programming language

[jellomizer]

Also to note what the programming language is used for.
If I am tasked to program an "Enterprise" Class application I will be using C,Java,C++ (And Javascript if there is a web front end) because these are the languages the big Execs expect to be codded in, There is still a wide hiring base for expansion, Other "Enterprise" Applications are codded in these languages, and these languages have support from many big players. Despite the fact that I normally shutter when I hear "Enterprise" class, because it is normally the worst pile code I normally see, because it has been handed off a dozen times to different programmers, without any firm architectural leadership to it (Which leads to the programmer who uses it security flaws), these applications are often very predominate on the network, and used by a lot of people, include parts that are facing on the internet. Which in short makes them naturally more vulnerable. You 10 line bash shell script may have flaws, but the fact it is just running in a cron job in a controlled environment, may mean such a flaw is not discovered.

Then we have languages such as PHP, Python, Ruby (And Javascript if there is a web front end). These are the get it done quick languages, so there there is little QA review. These are the languages where there is an itch that needs to be scratched and fixed quickly. This means there is less time architectting a good solution, so there is normally some funky code going on. These for the most part are lower in the list, because they have a smaller usage foot print, and often their exposure is also limited so may be on the DMZ, or just internal to the intranet.

Languages which were not on the list, are mostly designed for mostly client side programming, Sure you can use ASP.NET+C# to make server side stuff. But for the most part unless you are a strict Microsoft Shop you will use something else.

Re: Not the programming language

[laffer1]

I agree with your point, but I don't think you could even get any real work done in C without understanding part of the memory management. In the case of your SQL example, that's more likely to have massive performance problems than a security vulnerability.

I don't think you need experts, but you do need people who are willing to look at best practices documents when working in a new language. That are books on writing secure C and Java code as well as various papers and sites with content. There's also projects like OWASP. Even if you don't know how to prevent SQL injection in say Java, you should be able to know what to google to find out because you're familiar with that class of vulnerability in your favorite language.

Re:Not the programming language

[deKernel]

I really hope you are joking that an assignment operation can cause a loss of data because if you are, please close your editor, walk away from your computer and look for a new profession because you should NOT be writing code.

Re:Not the programming language

[coofercat]

I wonder then, if you took a random group of programmers, and gave them all a fixed amount of time to produce some sort of output in different languages, how many of them would (a) finish in time and (b) produce a secure output.

My point is, much like yours, that some languages make it easy to be reasonably secure, others make it quite hard. Any language can produce secure code, but given it's somewhere on the easy/hard spectrum, which one is the quickest to produce a secure output? Additionally, which one produces reasonably secure outputs when programmed by a reasonably competent programmer?

Ultimately - and not answered by TFA - a language is "the most secure" if ordinary programmers can use it without making security mistakes. If it either takes an age to finesse to good quality, or requires none but super-geniuses to program, then it's essentially "insecure". Unlike TFA, it has nothing to do with "number of lines of code written versus number of bugs".

Re:Not the programming language

[gweihir]

It does. You seem to be mentally deficient though.

Re:Not the programming language

[gweihir]

Scope in Python is complex. However, it is absolutely nothing that will surprise anybody competent. Because if you have a variable twice, with different scope, anybody competent will read up how scope works before. Also, "accidentally" reversing an assignment is a code bug and nobody with the least bit of understanding would ever blame the language for the effects.

Re:Not the programming language

[jythie]

The person is referring to the scoping rules in python not being like the scoping rules in C/Java/etc. It is only really a 'gotchya' if you have learned one set of rules and transition over to Python without learning it uses another one. But basically, in Python such a mistake can affect data that someone from a C/Java/etc background would consider out of scope but isn't.

This is the general problem with these 'unexpected behavior' type discussions, they make sense or not depending on what other languages the person is referring from and what hidden assumptions about behavior they have.

Re: Not the programming language

[jythie]

Yeah... with C, today you really only get the illusion of seeing what the assembly would look like on a toy processor from 30 years ago.

Re:Not the programming language

[Sique]

The idea that you disqualify as a coder if you code in certain languages.

I'll code in any language you throw at me if necessary. Sometimes, you have to do with the things at hand. Life is not a picnic.

Re: Not the programming language

[phantomfive]

The C# (or Java or JavaScript) programmer who doesn't understand memory management has memory leaks all over his (or her) code (or they are not writing anything substantial).

Re:Not the programming language

What you just described is shitty management but your conclusion was to blame the programmer...

Re:Not the programming language

[K.+S.+Kyosuke]

Arithmetic or relational operators, for example?

Re: Not the programming language

[jma05]

No they don't. This is a myth programmers tell themselves.
There are safe languages and there are unsafe languages.
Given same time, the performance of similar programmers (good or bad) will vary widely across them.
This is the entire point of programming language research.

A good programmer writing Haskell, Ada or Rust (languages that prioritize safety) code will invariably make fewer errors than he will in C (minimal safety features) - given same programming goals and time.

Re:Not the programming language

[DamnOregonian]

Are you one of the authors of Zenoss?
I love that Python script that takes 10 minutes to start on a $4000 machine.

Sorry, amigo.
C is still *the* language for focused functionality where performance or detailed control is important.

Re: Not the programming language

[phantomfive]

Assembly written by Bill Atkinson is better than (pick your language) written by a lousy programmer. I think you must not have looked at very much good code.

Re: Not the programming language

[jma05]

Why on earth would you compare an expert vs. beginner when comparing tools?

That's like saying, our car is just as safe as the rest, but only when driven by Grand Prix winners.

Do you understand comparison studies? You control for every other variable.
I specifically wrote: "the performance of *similar* programmers".
You compare Bill Atkinson like programmer performance using both safe and unsafe tools. *Separately*, you then compare mediocre programmers.
Also note that I also wrote "Given same time".

Re: Not the programming language

[SirSlud]

Anyone proficient in assembly and C can "see" the assembly that the C code will make, as they write the C code.

What a load of bullshit. Between multiple targets, compilers, and the dozens and dozens of flags and options which affect compiler output, anybody who knows what they're talking about will say never assume anything unless you look at the assembly yourself. This is why sites like https://godbolt.org/ exist. You have to be in an incredibly small, tightly controlled, limited scope environment to really know with certaintly what assembly you'll get out of C code. It's certainly not the attitude of anybody I would consider "proficient". Old, maybe.

Re:Not the programming language

[swillden]

However, part of it is modern coding in general. The last several "Agile" places I worked at were in permanent sprints, and the job of the developers is to get a feature that marketing already sold to the customer into the product.

Nothing about that situation is related to "modern coding" or "Agile"... that's just bad project management and bad business. It was extremely common when I first started doing software in the late 80s.

Re: Not the programming language

[lgw]

I agree with your point, but I don't think you could even get any real work done in C without understanding part of the memory management.

Oh, it's sadly very easy to get work done without worrying about frees to match your allocs. There's a whole discipline to that in C absent from any other modern language.

Re: Not the programming language

[lgw]

Anyone proficient in assembly and C can "see" the assembly that the C code will make, as they write the C code. This is not true in C++ or FORTRAN or the others.

That hasn't been true for optimized C code for over a decade now. The compiler will surprise you in amazing ways in order to eek a cycle out of out-of-order instruction processing. And C++ isn't particularly mysterious once you get the hang of it.

Re: Not the programming language

[bobmagicii]

in regards to the language being "secure" if more average devs can produce more safe results - isnt that more the libraries than the language? a print(string) is a print(string) everywhere from what i have seen.

Re:Not the programming language

[swillden]

In what language does writing "x = y" when you meant "y = x" not lose the value of x, which you intended to keep?

Everything *MUST* *BE* unit-tested for type-correctness

While I prefer static typechecking, I respect the Python view that everything must be tested for correctness anyway, and that static typechecking just lulls the programmer into thinking that less testing needs to be done than is really the case.

I will say that the worst, most opaque code I have ever encountered was written in Python, but I blame the programmer who wrote it, not the language for making it possible. Bizarre, incomprehensible, even misleading code is possible in any language, only the techniques differ.

(The code I mention created a set of pure interfaces, then instantiated them and called their methods... and they worked! There was machinery that intercepted the instantiations and chose appropriate concrete types. Essentially it was a particularly opaque dependency injection framework. Think Guice, if you're familiar with that, but with absolutely nothing in the code to indicate that dependency injection was happening.)

Re: Not the programming language

[dargaud]

If you divide by number of dogs, Dalmatians are the worst of all, before cocker spaniel... OT...

Re: Not the programming language

[TrekkieGod]

I agree with your point, but I don't think you could even get any real work done in C without understanding part of the memory management.

As somebody who specifically works with undergraduate students with a Java background, the first few C++ programs I get from (almost) every new intern while training them is full of "Foo* bar = new Foo();", without the accompanying deletes. The way that happens is pretty clear: they're used to instantiating instances with new, they get a compiler error that indicates they should have an asterix next to they type when they do that, so they add an asterix.

Granted, the process with C would be a bit different because malloc and free don't look like a keyword they're familiar with, but a lot of the same problems apply. Usually allocating memory in a function and returning the pointer which never gets freed. Sometimes they delete a pointer but keep references to it, and the test programs works perfectly ok because the process hasn't overwritten the memory marked for deletion by that point yet, etc.

I love C, but there's no denying that it is a lot easier to create vulnerabilities from ignorance in that language than in a garbage collected language with actual array objects that know their size instead of a head address in contiguously allocated memory, etc. Understanding that helps us train better programmers, because we can hammer that early on.

Re: Not the programming language

[TrekkieGod]

The C# (or Java or JavaScript) programmer who doesn't understand memory management has memory leaks all over his (or her) code (or they are not writing anything substantial).

True, but they'll have a lot less of those leaks. You have to admit that keeping references to objects you no longer need is less of a memory leak problem than forgetting to explicitly free and losing the reference.

Re: Not the programming language

[phantomfive]

Oh yeah? So when your C# server crashes because it ran out of RAM, you're going to say, "it's not as bad because.......Actually it's just as bad." C programs don't actually lose reference to the memory that was allocated, although your particular code might. There's no getting around the need to think of memory.

Re:Not the programming language

[dunkelfalke]

https://queue.acm.org/detail.c...

This explains it better than I ever could.

Re:Not the programming language

[CanadianMacFan]

Don't blame the contractors, blame the people aren't specific in what they want. I've seen plenty of times when users, clients, managers, etc ask a developer and/or contractor to make them something and use a couple of words thinking the other person knows their domain and needs exactly.

It's like I asked you to build me a chair for $1000. You could go all out and build a power reclining, leather clad chair with cup holders, heating and a whole bunch of other neat features. Or you could nail two shipping palettes a right angles and toss in a couple of cushions, call it a day knowing that you'll get paid the same amount, and look for some other work. Probably you'll do something in the middle.

Re: Not the programming language

[yo303]

Sure, it might be more optimized. But the processor is not going to go and do something unexpected like garbage collection or some object initialization.

There is a more direct mapping between C and its assembler output than in other languages.

Re: Not the programming language

[laffer1]

C++ now has garbage collection as an option.

In my view, if someone taught students a language that does garbage collection but didn't explain what that is, they failed the student. I've seen so many people claim that languages like Java don't "leak" memory. It's certainly possible to have a dangling reference that prevents garbage collection.

You don't get away from the memory management issue in other languages, it's just a bit easier in some cases.

I think students should be taught a language like C or C++ without GC early on so they learn about memory management properly. By understanding what happens under the hood, they can appreciate garbage collection rather than assume every language has it. There's also a performance hit in Java and depending on what type of GC you're using in Java, it can cause latency or lag in applications. I've seen a lot of senior level developers create a lot of redundant objects and then wonder why the memory footprint of their app is terrible and why it seems laggy.

This goes back to the problems with modern education in CS: Lack of knowledge of memory management, thread management and basic operating system theory. When everything is a black box, how will they be able to debug or tune their applications when the need arises? I'm tired of having to explain how Linux allocates RAM to processes or why their node.js app is failing to scale.

Not to mention even in Java or .NET, you need to get in a pattern of opening and closing resources. What happens when they try to use JDBC? Why aren't my connections returning to the pool... I think the malloc/free or new/delete less is useful in other contexts.

Re: Not the programming language

[laffer1]

Most languages require freeing connections to databases. Managing resources is still a relevant skill.

Re: Not the programming language

[spongman]

Bad languages make good code more expensive.

Re: Not the programming language

[spongman]

Britney Spears.

Popularity does not equal quality.

Re: Not the programming language

[spongman]

Maybe you should try teaching c++ without ânewâ(TM)?

Re:Not the programming language

[JustAnotherOldGuy]

It is only really the default configuration of older PHP versions that make it so much more practically insecure.

^^^^THIS

Yes, early versions of PHP were insanely insecure (automatic extraction and instantiation of ANY variables passed in via POST or GET, for example) plus a host of other stuff.

Still, it was easy to write secure code in PHP as long as you didn't so stupid things, which sadly, was setting the bar a little too high for most budding programmers (and not just PHP coders).

At the same time, PHP made it easy to do stupid things and that sure didn't help (see above).

Add to that the mountains of poorly-written insecure PHP code that was posted to every forum in the world....it was dutifully copied and spread widely. StackOverflow had more insecure code uploaded than you could shake a stick at (and still does).

In addition, the web 5 or 10 years ago wasn't nearly the maliciously-opportunistic place it is now.

Take bots, for example. Ten years ago bots were mostly unheard of and what they could do was very rudimentary. The bots now have long lists of vulnerabilities to look for as well all the other usual exploits that would screw up any public-facing code.

But these days every site gets hammered day and night with bots, and any code that doesn't screen incoming vars is grist for the mill.

Believe me, the problem isn't just PHP. The problem is bad programmers. Always has been, always will be.

Re:Not the programming language

[LostMyBeaver]

I wrote a kernel module not long ago... in C. I was extremely diligent to make the code as clean as possible and to make the memory and error management as perfect as possible. I even added as many checks as I could. I wrote massive amounts of unit and integration tests. I configured multiple static code analysis systems to keep the code as pristine as possible... you shouldn't even be able to look at the code without causing some warning to be generated.

Then we got to procfs which is a bleeding disaster.

No one ever keeps the documentation up to date on anything in the kernel. Someone will go and write a book on the topic and before the pages of the PDF have cooled down from the press, the entire API will have changed.

Then comes sk_buff... it has an API which is such a cludge that there should be laws against using Linux for networking in secure environments. It's absolutely impossible to create a network frame in the kernel since the documentation is 100 versions out of date, there are hundreds of documents trying to describe how it should work... they're all obsolete. Trying to find a support group that can help is like trying to find the answers to the mysteries of the universe. Everywhere you go, they'll point you somewhere else and then speculate that whoever they send you to will make you start over because they changed everything recently... again.

I genuinely believe it's impossible to use SK_BUFF without making memory leaks in the kernel at this time.

Let's talk about timer_setup and setup_timer.... there's nothing wrong with a name change, but there should be a macro of some type which would allow for testing which one to use. See, kernel modules are built using a kernel module make system. There's no autoconf.

It doesn't matter how good your C code is... it's the trust issue. If have a large C codebase... for example multiple millions of lines of OS code with thousands unmaintained kernel modules written by people who shouldn't be allowed to spell "C" in gentle company, you're going to have an unmanageable cludge.

Linus kicked ass when he made git. I think the world as a whole would burn without it today. But he should attack make files next and make it so that git and make are tightly integrated. Then all the kernel modules could be checked in as modules... and a CI/CD pipeline for the kernel and its modules could be established.

Re:Not the programming language

[muecksteiner]

Thanks a lot, that was a very intriguing read! I do have a contrarian viewpoint on this, though. Namely, I would contend that the structure of C as it is now does not represent "computing in the age of the PDP-11". And that it is therefore obsolete.

I'd rather argue that C is indeed still a highly useful low level language insofar as it maps fairly directly to an abstract machine of sorts. By the standards of today, this abstract machine is much simplified compared to actual hardware - but it is still a workable model of how computing works "on the metal". As a consequence, of this, the enduring appeal of C comes from the fact that this abstract machine (flat memory, in order execution, etc) hits a sweet spot between still being human comprehensible (!), while still being close enough to what actually goes on in hardware.

Try turning the argument in the article on its head: imagine a low-level language which actually exposes all the shenanigans that are going on in a modern CPU to the programmer. And then imagine the nightmare of making something like this portable between machines. There is a reason we still do not have really stable programming interfaces on GPUs: and GPUs are actually, in their own way, simpler than a modern CPU. At least if you want to fiddle with all the little things that are there in hardware.

Is C the end all of programming languages? No, of course not. Should the glaring defects the author mentions in that article be fixed? Also yes. But to the credit of C, it is not the dinosaur he makes it out to be. And it certainly does not shackle programmers to an obsolete hardware model. Rather, there was a point in time when the hardware more or less matched the abstract model C is using. But the fact that this is no longer the case does not mean C itself is useless: especially as taking C into the realm of directly mapping to the internals of modern processors would make it a lot less comprehensible to the average programmer - and also a lot less portable.

Re:Not the programming language

[gweihir]

Indeed. This only hits you if you incompetently assume the rules are the same as for some other language. Scope is one of the things anybody competent looks at when learning a new language.

Re:Not the programming language

[gweihir]

In what language does writing "x = y" when you meant "y = x" not lose the value of x, which you intended to keep?

Everything *MUST* *BE* unit-tested for type-correctness

While I prefer static typechecking, I respect the Python view that everything must be tested for correctness anyway, and that static typechecking just lulls the programmer into thinking that less testing needs to be done than is really the case.

I will say that the worst, most opaque code I have ever encountered was written in Python, but I blame the programmer who wrote it, not the language for making it possible. Bizarre, incomprehensible, even misleading code is possible in any language, only the techniques differ.

Static type-safety has its advantages and its disadvantages. For newbies it can be pretty helpful, but they often think this is something that is expected to be there. A huge disadvantage in most languages (except Eiffel) is that static type-safety usually enforces that child classes can always be used instead of their parent. That massively limits code-reuse and is not a good model in general. It just makes compiler-creation easier. In Eiffel, this is solved with a global translation scope. The compiler will, for example, accept children that have methods removed if these are never called when the child is used for the parent or the child is never used in place of the parent type. In Python, you have the same power, but you do it dynamically. That means type errors will be found at run-time only, but any reasonable test-coverage will find problems caused bu this and you need that test-coverage anyways. Also, if you use this feature with understanding and care, it will not drive debugging and testing efforts up at all.

It is a great way for the incompetent to mess things up though. Although the incompetent have no business writing production code anyways. In all tech fields (except coding, because it is too new), we require an engineering degree for full-custom design (which basically all coding is). In coding, we need to to the same. The driver in other tech is that the harm done and the cost increased from bad implementations just make it economically non-viable to do custom designs with less than an engineer. This is even more true in coding, but somehow the "managers" still think they can do this with cheaper people and get better value. This is _known_ to be untrue. Admittedly, other engineering disciplines needed reference catastrophes and quite a bit of time to get it and to establish these rules. Coding is not there yet, but there are huge financial advantages to be had by making sure all your coders really know what they are doing and know what their limits are. Requires planning a bit longer than just for the next quarter though, and that seems to be something the "managers" cannot manage either these days.

Re:Not the programming language

[gweihir]

Larry Wall has won the obfuscated C contest several times by now. Not an accident. You can write well readable code in Perl though, I have give Perl code to students for years and for them to modify and base their own work on and there never were any problems. Requires insight and discipline, just like any quality coding, really.

Re:Not the programming language

[dunkelfalke]

This is why low level languages don't make much sense anymore. Modern CPUs have too much intelligence and so do the compilers.

Re:Not the programming language

[muecksteiner]

Granted, but what exactly is the alternative? At the end of the day, computers are still about sequentially executing instructions which operate on data. that is being held in memory somewhere. So having some sort of model like that is certainly helpful when developing applications - of course notwithstanding that on a modern machine, the whole "sequential" thing has become rather fuzzy. But the basic model is still quite useful, as a baseline to start thinking on (so to speak).

Point in case, in the other direction: functional languages. Arguably, these go full monty in the direction of "screw thinking about the machine this will run on, let's talk functionality". With the end result that the average functional version of a given application can very well serve as screening test for Mensa membership (disclaimer: I can actually program functional languages, and am a Mensa member). Wickedly cool these things are, but maintainable... and accessible to the general public... well, maybe not so much. I'd argue that the good old "sequential lego building blocks of logic" approach which is typical of C or Pascal or any other dog standard old time language has passed the test of time precisely because of their comparative simplicity and maintainability.

Re:Not the programming language

[dunkelfalke]

Depends on the task and the skillset, I guess.
Functional languages for the really intelligent people, multiparadigm languages with a high enough abstraction level (C#, Java, whatever) code monkeys like me, script languages for the noobs and C++ with inline assembler for embedded and close to the metal stuff (that's actually still withhin the limits of the more skilled code monkeys), and let the compilers do the rest.

Also, I think you making a slight mistake putting Pascal and C into the same bucket. Pascal is, while able to do quite low level stuff (good old Turbo Pascal days, how I miss them), nevertheless a higher level language than C with more abstract structures, so, in a way, somewhat more modern (alas, very much dead).

Re:Not the programming language

[muecksteiner]

Also, I think you making a slight mistake putting Pascal and C into the same bucket. Pascal is, while able to do quite low level stuff (good old Turbo Pascal days, how I miss them), nevertheless a higher level language than C with more abstract structures, so, in a way, somewhat more modern (alas, very much dead).

I also have very fond memories of Turbo Pascal: back in the day, I liked it a lot better than C. But preferences do change over time, and whatever Borland did to Turbo Pascal in the longer run probably deserves to be rated "R".

Re:Not the programming language

[doconnor]

In Pascal assignments are done with x:=y where the side with the ":" is always the distention. "=" is used to test equality and reversing the order works exactly the same.

Re: Not the programming language

[lgw]

Except macros.

And, well, you might be surprised. Memcpy, for example, used to be a very elaborate function, handling word alignment, page alignment, and so so for maximum performance. Now in most compiler libraries it's back to the obvious 1 line of code. Why? Because now everywhere the compiler detects that your copying memory around, it generates the full implementation of memcpy, or a slimmer version if it knows alignment boundaries at compile time.

Also, why would object initialization be unexpected?

Re:Not the programming language

[Cmdln+Daco]

You can 'escape' out of the MS-DOS environment by typing 'call command call' at the command prompt. It dumps you out into a completely empty environment, where you can set things up however you wish. Then if you wish to get back, you can simply 'exit' at the command prompt and you're back to the original environment.

The correct answer, btw, is that a file path ALWAYS needs quotes, because you're dealing with an unsafe kludge.

Easy way to rank

[LynnwoodRooster]

The more flexible the language, the more ways you can screw up and allow a security hole.

Re:Easy way to rank

Therefore the solution is to build a programming language so brittle and soul-suckingly rigid that there's no room to write anything different than the approved code.

Re:Easy way to rank

Let me tell you about Rust...

Re:Easy way to rank

[hcs_$reboot]

In this case Perl should be in the top 3.

Re:Easy way to rank

[hcs_$reboot]

Or a language that doesn't allow uncontrolled system access. That's probably why Javascript does not top the list here.

Re:Easy way to rank

First, he has to sign the 732 page ethics and Code of Conduct agreement...

Re:Easy way to rank

Oh, he's going to attend the Arisia Science Fiction and Fantasy Convention?

Let's just say that their very lengthy and "oh-so-sensitive" code of conduct turned out not to be worth the electrons it's displayed on your Facebook page with. The harsh lesson was that the longer the code of conduct, the likelier is rape by their highest level staff. The rule applies among projects and companies everywhere, and I've never seen an exception in the long run.

Re:Easy way to rank

[Pinky's+Brain]

That's a good way of putting it.

Secure languages are definitely not nice languages for the programmers ... they want freedom (pointers) and convenience (type inference) but giving it to them runs counter to security.

Re:Easy way to rank

[Freischutz]

The more flexible the language, the more ways you can screw up and allow a security hole.

Case in point: PERL.

Re: Easy way to rank

[Hognoxious]

Females don't need to sign it; nothing they do is wrong.

Re: Easy way to rank

[jbmartin6]

So what exactly was the masculine prefix?

Re: Easy way to rank

> So what exactly was the masculine prefix?

"Wer-" like in "werewolf."

Re: Easy way to rank

[DamnOregonian]

Any man who made it out of their parents' basement and got a girlfriend learned this long ago.

Re:Easy way to rank

[DamnOregonian]

but giving it to them runs counter to security.

Wrong. It runs counter to safety.
But sometimes you need to get on a plane without going through a soviet checkpoint at your airport.

Re: Easy way to rank

[lgw]

The original English gender-specific words for adults were "wer" and "wif", with "man" being neutral. Over the centuries, "wifman" became "woman". "Wer" was mostly dropped, as men are unimportant - if there's a woman, someone will say so. "Wer" persists only in "were-wolf" and "were-guild", while "wif" of course persists as "wife".

Re: Easy way to rank

[jbmartin6]

Interesting. Were- apparently also persists in the etymology of "world".

Re:Easy way to rank

[Pinky's+Brain]

Sometimes not wearing your seatbelt in an accident really does save you.

Sometimes getting that vaccination really does kill you.

Kinda silly conclusion.

[thoth_amon]

Language design unquestionably makes certain programming errors more difficult or even impossible. This is not mere tilting at windmills: many of the classes of errors that are removed are extremely important and damaging ones. Other language features can force programmers to think through their designs more and/or make their code more clear and expressive. Some language designs can even limit and constrain the possible logic errors that a program can commit.

Obviously, naturally, a better programmer will write more secure programs, in any language. But that's not a very interesting question. The interesting question is whether two equally skilled, equally disciplined programmers will write equally secure programs when one of them is allowed by the language to do anything, and the other has many guardrails in place to prevent errors.

Re:Kinda silly conclusion.

[gweihir]

No. You cannot force people to think. The avoidance of thinking is one of the most refined skills in the human race. No tools can help here. This false belief is at the root of the current mess, were more and more effort is poured into languages with no real effect. Of course, the motivation behind this is to avoid addressing the continued management failure in both hiring cheap, incompetent coders and in making tech decisions.

Re:Kinda silly conclusion.

[theweatherelectric]

Maybe try reading it. I know reading is hard for you but do try.

Re:Kinda silly conclusion.

[gweihir]

Show me an actual, scientifically sound study first that backs your claim. Because your reference does not do that. Instead if regurgitates the ages-old fallacy that because specific vulnerabilities are removed from the possible things you can code, the same coders will write better code. That is not the case and nobody has ever been able to prove otherwise.

Re:Kinda silly conclusion.

[theweatherelectric]

So you can't demonstrate anything to support your claim. You've had every chance and every opportunity and yet you show nothing. Your claims are plainly baseless and a waste of everyone's time.

Re:Kinda silly conclusion.

[gweihir]

Indeed. Nice to see that there are people that can think here. Even if you are an AC.

Re:Kinda silly conclusion.

[theweatherelectric]

There is not inversion of proof, invalid or otherwise. You've failed to back your claim that "no tools help" or that these mythical perfect programmers will solve all the world's software security problems. Show me evidence to back your claims. If you cannot, then what use are you?

Re:Kinda silly conclusion.

[angel'o'sphere]

Bottom line you learn coding by coding a lot. Making mistakes realizing it, reflecting about it and improving yourself.

You can not simply "teach" how not to make mistakes. Sure, you can teach concepts, problem cases, defensive strategies, tests etc. But bottom line the only way to learn is to make mistakes and learn from them.

Re:Kinda silly conclusion.

[gweihir]

I am no use to idiots, and ipso facto no use to you. A fact I can live with very well.

Re:Kinda silly conclusion.

[theweatherelectric]

Junk effort, kid. Try harder.

Re:Kinda silly conclusion.

[swillden]

No. You cannot force people to think.

You're trying to substitute a different premise to tilt the argument in your favor. That sort of underhanded argumentation is obnoxious and you should avoid such assholery if you want to be taken seriously.

This false belief is at the root of the current mess, were more and more effort is poured into languages with no real effect

Except there has been a real effect. Modern, typesafe, bounds-checked programming languages and well-designed libraries cause demonstrably fewer security vulnerabilities to be written, and the vulnerabilities to be less severe. This is because these languages inherently make whole classes of vulnerabilities impossible. Comparing, say, Java and C, there is no vulnerability you could write in Java that you can't write in C, but there are large classes of vulnerabilities -- including the most critical remote code execution vulns -- that you cannot write in Java. This comes at a cost... there are also classes of programs you cannot write in Java but can write in C, and Java programs tend to be much larger and consume much more memory.

This means that while Java programmers still have to think about security, there are many kinds of potential security mistakes that they do not have to think about. This is positive progress.

I do crypto, and bad crypto APIs (like those provided by Java) are huge source of vulnerabilities. Better, simpler APIs like Tink or libsodium make a big difference, and programmers write far better code when they use them. This doesn't eliminate the need for programmers to understand cryptography, but it does eliminate the need for them to be crypto experts. Perhaps the best thing ever to happen in this space is TLS. There are still plenty of things to screw up, but if you need private, authenticated network connections, there is almost never a better answer than "Use TLS, and follow these rules to configure it correctly", except, maybe "Use TLS and use <library> to configure it" (e.g. Use OkHttp on Android).

Or are you seriously going to try to tell me that a Good Programmer should be able to design and implement secure crypto code from scratch, and that if they'll just think they'll do fine? If you believe this, please, please, never write any code that implements or uses any form of cryptography.

AMD64 assembly

[reanjr]

The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

Re:AMD64 assembly

[gweihir]

The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

Especially if run on the inferior "Intel" implementation.
 

Re: AMD64 assembly

[reanjr]

Whoever modded my comment "troll" must be a fucking moron who doesn't know the first thing about PC hardware. I can't imagine what sort of misguided thinking led to that reaction other than complete ignorance of what AMD64 is.

Re: AMD64 assembly

[reanjr]

You don't know what AMD64 is either, I suppose?

Approach, rather than language

[middlefeng]

Around 99% of vulnerability happens in parsing (general speaking, including string handling). If you make decision to take Lua as the format and take Lua parser as parser, done. Almost zero vulnerability.

Modules

[Antique+Geekmeister]

I'd list all of the public and semi-public repositories that publish modules for automatic installation and update. These include pip, ant, maven, gradle, CPAN, and gems. The Java repositories used by ant, maven, and gradle tend to have unknown binaries and unknown provenance, with no reliable way to evactly recreate the published jar files. Ruby gems have a similar issue. CPAN and pip rely on upstream source code for local deployment or compilation but are also very vulnerable to their default download of the most recent version of any module, which may or may not interact badly with other obsolete or updated modules. It's why many operating systems publish packaged binaries, and it's why the "compile as needed" operating systems cannot be stable and _cannot_ be thoroughly secured.

Re:Modules

[scdeimos]

Don't forget npmjs. npmjs comes with the added bonus that a ranting author can delete all versions of all of their modules thus breaking previously working installations.

Re:Modules

[Antique+Geekmeister]

Wouldn't that merely break new deployments of those modules? I'd not expect it to break already deployed systems.

Re:Modules

[scdeimos]

Not when it comes to build servers. npm ci deletes the node_modules folder and downloads all the packages again from scratch. You need to turn off npm ci build step and commit hundreds of megabytes (or more) of node modules to your VCS to ensure reliable builds.

Re:Modules

[angel'o'sphere]

The Java repositories used by ant, maven, and gradle tend to have unknown binaries and unknown provenance, with no reliable way to evactly recreate the published jar files.
That is nonsense.
First of all the source code comes from a source code control system, secondly if you use maven/gradle then the jar repository usually always contains a code.jar and a source.jar (and the 'make file' to make one from the other).

Re:Modules

[Antique+Geekmeister]

Jar files are binaries.

Many public jar file repositories have undefined, or ill-defined links to a source control system or a build system that make the code nearly impossible to reliably rebuild. I've run into this repeatedly.

Re:Modules

[angel'o'sphere]

*jar files are *zip files.
And a maven repository usually holds the sources.'zip' and the classes.'zip' aka jar files.

If run into problems as one for help who has more clue than you. While maven is a pain in the ass, not being able to build a code-jar-file from the sources is not one of its problems.

Re:Modules

[Antique+Geekmeister]

> First of all the source code comes from a source code control system,

Not necessarily. I've met many Java developers who publish their content from their personal laptops, and whom I've educated in using source control and build environments. There is no requirement for the use of any source control in any of of ant, maven, or gradle. I'm afraid that what you've described is a source control based workflow exerted from outside the build tools. It's a very helpful approach for many reasons, but it's missing from many public and especially private jar file repositories.

> *jar files are *zip files.

And zip files are binaries. I would agree that they are not _executables_ or libraries per se. But being binaries, and being a module in which other binaries are embedded, makes reviewing or comparing their contents much more awkward. They also tend to be full of other binaries, such as ".class" files. Being a zip file does not help the underlying source control or build environment problem.

Learn to

[AHuxley]

Ada.

This is nonsense

[gweihir]

First, usage is not evenly distributed. Second, some things you can only do in one language. And third, there are different groups of coders for each language. Take C coders, for example. If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

And then you have that vulnerability is not the same as vulnerability. Simple counting metrics are basically always fundamentally flawed and give you a completely unrealistic picture. If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability that just allows you read access to some not very critical data, then the result is utterly meaningless. You also get situations were what is one vulnerability in one language counts as several in another, for example because it is a combined vulnerability in a library in one and separate simpler components in another.

Hence statistics like this one do a lot of harm by confusing the issue and help not one bit to actually see a fragment of reality. They abstracted too much away. It is like, for example, they judge whether people are good or bad according to their beer brewing skills. You will find good beer brewers that were mass-murderers, and ones that were saints. The results of such an evaluation is completely meaningless.

Re:This is nonsense

[gweihir]

Read my .sig

Re:This is nonsense

[imidan]

If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability...

I knowingly created a vulnerability in a single sign-on system that I implemented. I did it for expediency. But when I did, I spoke with my boss about it first, and then we all talked about it at a staff meeting to try to determine ways that it could be exploited. The two we came up with involved a bad actor who already had unrestricted physical access to a logged-in user's machine, or a bad actor who had reality-defying luck at guessing a UUID within a 24-hour period. In either case, the attacker couldn't gain access beyond the user they impersonated. It was decided that even though a vulnerability existed, successful exploitation was unlikely.

The point being, as you say, not all vulnerabilities are made equal. If you can determine the risk of exploitation, the value of the system being protected, and the cost of recovery from a bad action, and accept all of that, then maybe the cost of eliminating the vulnerability is greater than the expected cost of dealing with an exploit.

Re:This is nonsense

[gweihir]

As soon as you documented this very carefully and very hard to miss in the code and in the written documentation, I have absolutely no problem with this approach. Competent risk management is not about perfection, it is about balancing cost and risk-costs and avoiding catastrophe-level events.

Re:This is nonsense

[theweatherelectric]

If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

C coders don't seem to be that great at security.

Re:This is nonsense

[gweihir]

You seem to be functionally illiterate. Because what you criticize is very clearly not what I said. I did, in fact, not make any claim as to Linux security vs. other products. But that seems to have completely escaped you. Which is hilarious, because you even quote the line that you were unable to comprehend.

Re:This is nonsense

[theweatherelectric]

Don't cry just because C has let you down. Recognize Cs failings and move on to a better language.

Re:This is nonsense

[gweihir]

You continue to be clueless. I did not claim C was a good or bad language either. I just used it to explain a deep flaw in the comparison made.

Re:This is nonsense

[theweatherelectric]

Nope, I just occupy the real world as opposed to being siloed in the deluded fantasy you wish the world to be. Where are these mythical programmers that will finally write secure programs in C? Why have they done such a terrible job so far? When will they improve? When will they deliver? When will you deliver anything to back your claims?

It's time to put up or shut up, kid.

Re:This is nonsense

[Trailer+Trash]

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabilities in Linux are golden tickets, so people are looking for them all the time. Having a simple aggregate list like that is also of limited value because it doesn't tell you the nature of the exploit.

https://www.csoonline.com/arti...

Why, looky there. Ask yourself a question: How bad is this?

See, before Cisco fessed up, few people knew about this. It wouldn't have shown up on your list there. But something like this almost certainly trumps 20 regular vulnerabilities. It's nearly impossible to put something like this into open source software.

Re:This is nonsense

[gweihir]

None of which I was talking about. You are not only functionally illiterate, you are an idiot. Non-idiots can recognize context, you cannot.

Re:This is nonsense

[DamnOregonian]

I have a CVE in the NVD.
It targets a piece of the linux kernel that was modified by Google for Android.
I used it for a while to push through some unlocking exploits for Android phones with read-only eMMC ships.
The thing is- the problem isn't language specific at all, and not even Rust would have saved them. It was entirely procedural.
I suspect the distribution closely follows "extant lines of code"

Re:This is nonsense

[theweatherelectric]

Both.

Re:the problem is engineering competency relative

[gweihir]

Very true. Also, a bad C coder will just create other vulnerabilities in Java, for example. The problem is with coders that a) have no clue how to do it and b) do not know their limits or are forced to not respect them by stupid management. It comes all down to the coder, not the language. A bad coder will produce insecure code in any language, there is _no_ way to avoid that even if many bad coders continue to believe in the existence of the One True Language (TM) that will finally make them good coders. This quasi-religious belief is built on a futile hope and hot air used by vendors and interest groups to keep it alive.

So, let me state again: There is no silver bullet. Good, secure, reliable and maintainable code is only produced by good, experienced and talented coders. These coders are rare, expensive and expect to be treated well. Not having them and trying to do it on the cheap will always be a lot more expensive in the longer run and is a severe management failure. As in any engineering project, in coding, the architects, designers and coders are the most important people, the managers merely serve to deal with management obstacles. They have zero business making tech decisions and if they do that they sabotage the success chances and result quality of the overall project.

We, as the human race, generally have this figured out in engineering, with some notable exceptions, e.g. the current mass-murder committed by Boeing management, the Brazilian dam certified to be secure by TÜV Süd, Fuckupshima, etc. But in software engineering, management is not just incompetent (as usual), it is outright demented and completely disconnected from reality. That has to change.

Assembler

[aglider]

You forgot assembler.

Re:Assembler

[hcs_$reboot]

Assembler is not in the list because it is usually only needed when no other choice is possible.

Article not worth reading

Complete failure to even attempt to normalize bug counts so they can be evaluated on common terms makes TFA not worth reading.

proper statistics

[Tom]

tops the list because it's the oldest language with "the highest volume of written code"

It would've been easy to break numbers down by lines of code, wouldn't it?

Likewise by the year the code was written and whether or not it is currently being maintained (say, did the repository get an update within the past 3 months?).

Re:proper statistics

[dwpro]

Bug/loc would just boost the rankings of languages with extra boilerplate.

Re:proper statistics

[Tom]

There are a couple LOC counters that ignore comments and don't count lines with only opening or closing paranthesis etc. etc. - it's not like this is the first time the issue appears.

Re:proper statistics

[angel'o'sphere]

Actually there is no good reason not to count comments.
Just because they are not compiled to code is not a good reason.

/**
* param input - an unsigned integer used to compute the square from
*/
long fac(long input) { // .... bla
}

The error is in the comment, why is it not treated similar as line of code?
I however agree that long comment headers containing the commit log of the last 15 years are not necessarily code/LOCs :D

don't count lines with only opening or closing paranthesis
Same misconception.

// corner case, many code conventions forbid this
if (somethingIsTrue())
        doSomething(); // case #1
if (somethingElseIsTrue())
{
      doSomethingElse();
} // case #2
if (somethingIsFreakedUp()) {
    fixItIfYouCan(); }

Case #1 and #2 should be treated as the same amount of LOC. Basically you count paras, braces, comma and semicolon and ignore new lines (unless inside of comments). That of course is only true for languages like C where meaningful lines are terminated by a ; and/or a }

Of course that means that a function call like this:

      myCall(1, 2, "string");

will be counted just like this:

      myCall
      (
      1,
      2,
      "string")
      ;

Which is 5 lines, because you have 5 places where you can make an error, well, you could skip the paras perhaps and only count comma and semicolon. As the paras are required syntax, but then you don't count the function name as a LOC. Hm, I think we used to either not count the closing or opening para, not sure.

The point is:
1) func(); - that is one line
2) anotherFunc(param); - that is two lines // does not fit into my definition above, yes
3) moreFuncs(paramOne, paramTwo); - that is three lines // function name can be wrong, param one can be wrong, param two can be wrong

Re:proper statistics

[dwpro]

There are a couple LOC counters that ignore comments and don't count lines with only opening or closing paranthesis etc. etc. - it's not like this is the first time the issue appears.

That seems like a more complicated problem than you are alluding to with "etc. etc." For an extremely simple example, how would you justify the 10x difference in bugs/loc when comparing Foxpro vs Eiffel if you managed to muck up a line on both doing "hello world"? Which of the lines in Eiffel would count? https://excelwithbusiness.com/...

Re:proper statistics

[Tom]

You are absolutely right that some languages are more verbose by their very nature.

Still, we have better ways than just counting lines.

Re:proper statistics

[lgw]

LOC has always been a garbage metric for any purpose. Even worse when comparing programming languages. What matters is the number of bugs per problem solved. The fact that one language takes twice as many LOC to solve the problem than another is not relevent.

Re:Kinda silly conclusion.- CRAP

The issue is the what level does a language allow you to write at?

C is Assembler - hence the whole machin eis open to you, period GET IT??? It is way real programmers do not allow beginners and children to writing C.

On the other end - Business Languages Cobol and RPG. Heavy typed and run on procesors that are data aware. Just try to stick any non-numberic in numeric field. They is not stack. Oh you can create security issues by bad designs by using SQL enhenced query, Cobol not at fault, but SQL is, not to meantion studpid coder, cause SQL injection issues.

Re:the problem is engineering competency relative

[theweatherelectric]

its not hard to write secure c

And yet 70 percent of all security bugs are memory safety issues.

If only there was some kind of language which was designed to reduce memory safety bugs.

Re: Hebrew

This shit is really depressingly stupid. You might actually accomplish your goal of getting me to stop coming to slashdot entirely.

Re: "Shanghai" Bill is a known liar many times ove

[DutchMasterKiller]

Did you just walk into the wrong room?

Re:Seven most popular

[dwpro]

Nor the report. I'm curious as well.

Since they are not listed...

[LordHighExecutioner]

...but neverthless have a very large volume of written code, from TFA we can conclude that COBOL and FORTRAN are the safest language to use.

Re:Since they are not listed...

[Cro+Magnon]

Well, I didn't get too many pointer errors when I was writing in COBOL.

Re:Since they are not listed...

[neurojab]

...but neverthless have a very large volume of written code, from TFA we can conclude that COBOL and FORTRAN are the safest language to use.

I'm sure you're joking, but for those that don't get it: COBOL and FORTRAN do have a large base of running code, but are rarely/never used to write a web or even network aware applications. You can pull the network cable from a Windows 95 box, put it in a bank vault, and it will be reasonably secure, after all.

Re:Kinda silly conclusion.- CRAP

[yo303]

So, I am reading that you haven't done any embedded programming since they invented C. You can do most of than in C, and use the inline assembler where necessary.

C lets you write assembler more easily.

Look at Defect Density

[ytene]

The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

But a better measure would be defect density , or the number of vulnerabilities found per thousand executable lines of code. An even better measure would then take that data and factor it using an independent vulnerability severity assessment, such as CVSS2.0 (for example).

Even this approach will leave us with concerns. The results could be massively skewed, for example, if the C++ dataset comprised deeply complex code, whilst the PHP sample (for example) were largely comprised of trivial read-only presentation formatting statements. In order to attempt to make such analysis comparable, it would be necessary to compare equivalent functions written in different languages. In this context, by "function", I am referring to code objects that deliver either identical or similar functionality, such as input validation.

Unfortunately, the variables don't end there... The OP suggests that code was drawn from a variety of sources, including GitHub, public issues trackers and public development projects... Even the most cursory glance at GitHub projects will easily demonstrate the huge variance in ability of project contributors. This means that it is entirely conceivable for the test results to be distorted by nothing other than the relative ability of contributing programmers.

This is a really nice idea and we should encourage more and better attempts at helping us to understand what it takes to write defect-free code. However, I'm not entirely convinced that this analysis considers all pertinent factors and therefore am not likely to be completely persuaded by the results.

I would also like to better understand the impact of things like good project discipline on the outcome of this analysis. For example, what are the differences between a project which has really strict internal rules for things like variable, object and function naming? How about something as innocuous as code formatting - things like indentation, line wrapping and so on? What about the toolset and platform? The IDE used? The project discipline with regard to code re-use? All of these are "tells" - indicators as to the sort of defect density we should expect. They will not be uniform across randomly sampled software projects.

In my experience [maybe 10 years developing in a 30-year career] I would say that adherence to these sorts of "programming disciplines" is actually [much] more important than the language you use. Unless you pick a turkey of a language, you should be choosing it because it's philosophy and structure, it's approach to solving problems, most closely aligns to what you are trying to achieve.

And as a mentor once told me: "Just remember, the fastest, leanest, most efficient and compact piece of code can be replaced by something which is 5% slower, takes up 5% more memory and is 5% less efficient - but which is easy to understand, debug and maintain."

Quite possibly one of the most useful pieces of advice I've ever received...

Re:Look at Defect Density

[shanen]

Hard to find your comment until I figured out the right search terms. Not surprised to see it didn't get the moderation it deserved.

The topic is quite badly worded. There was a hint that the code base should be considered, and your metric of defect density is important, and you mentioned some of the other factors that can be considered, too. I was actually looking for something about size of the language itself, as well as the expressive power. Should also consider the significance of the defects that are created.

All in all, the story and the discussion (with a few exceptions like your [ytene's] comment) met my expectations for today's Slashdot. Sadly low expectations.

Re:Look at Defect Density

[bluefoxlucid]

Correct. In simpler terms: we need to measure the frequency of vulnerabilities per volume of code written by similarly-experienced programmers; the difficulty in teaching people to avoid those vulnerabilities; the ease in which lazy programming can create vulnerabilities; the scope of an exploit; and the stability of executing an exploit.

C#, for example, seems to be less vulnerable than Java for...some reason. I don't know why. Java seems to have failures that it shouldn't have, and C# should only be better for language specification reasons such as better-implementing interfaces and classes, or having better-documented conventions. They should both technically be equal. Someone should explore this and explain it so we can perhaps improve JVMs and CLRs based on this knowledge.

Just remember, the fastest, leanest, most efficient and compact piece of code can be replaced by something which is 5% slower, takes up 5% more memory and is 5% less efficient - but which is easy to understand, debug and maintain.

Your mentor was wrong. All of those things you do to squeeze out a bit more performance don't actually work and your code just ends up ugly and slow. Performance comes from your algorithms, and major memory savings come from using better algorithms.

Consider the B-Tree and the Radix tree. When encoding common-prefix strings, you want the Radix tree. Why? Because a B-Tree of strings will encode "/lib" pointing to "/lib/modules" pointing to "/lib/modules/4.5.1" and "/lib/modules/4.5.2" etc. Another type of trie will encode "/" -> "l" -> "i" -> "b" and so forth. The Radix tree will encode "/lib", then "modules/" and "lib", with the first pointing to a prefix of its subtrees and the second pointing to things like "c" or "g" or "ymc.so".

The very structure of the Radix tree eliminates a lot of duplicate data in memory and reduces the comparisons made. Tweaking and optimizing the Radix tree doesn't make such a gain, and your CPU and compiler will probably reach the same output code anyway. The Judy array is faster, but also much-more-complex to implement--and again is a different data structure with a different algorithm.

Various algorithms have various complexities; but when it comes to implementation, your implementation doesn't matter. The compiler will probably achieve the same SSA tree and then optimize the same output.

Re:Look at Defect Density

[lgw]

The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

You've confused C and C++. C was 47%. C++ was 5%. It's almost as if they aren't the same language.

Re:Your help will be much appreciated !

[Tom]

Yes, much easier to fuck up in C.

But sometimes you need the no-training-wheels approach from C. The last time I've used it was for a simulation which would have taken at least 4 times the memory using Java or C++. When you're using 80% of your available memory, 4x isn't possible.

*Face palm*

[p4nther2004]

So...we're measuring a language's security by the applications that were written in it?

Anyone else have an issue with this?
I call BS. You can NOT measure the language's security via the applications written it in. You MIGHT be able to gauge a languages popularity given the number of applications written for it (I do). You MIGHT be able to determine the effectiveness of a language *IF* you take the number of applications with vulnerabilities and divide that by the total number of applications written in that language.

Re:*Face palm*

[PPH]

But the PP has a good point. I've written a number of client apps using Java. Which doesn't rank too highly. But I don't care. Because these apps don't go onto the Internet. You will never run one or look at the source code. And odds are against you sneaking an exploit in on a USB drive. Because there's a guy with an M-16 guarding the door where they are kept.

Yeah, that's a pretty extreme example. But there are a lot of apps out there that don't have hooks built in for adware and some marketing department.

Re: Hebrew

[umghhh]

indeed. The problem is - wherever you go, you either have moderating policies that are going direction censorship or you get idiocy like this or if unlucky you get both. Slash has a relatively well done moderating system. the idiocy I have not seen until your post made me unravel it to me - it has a proper score of -1. I go there only if I am moderating.

wrong question

[sad_]

i like the conclusion, all languages are good security wise, it just depends on how you use them.
the questions actually should have been: which programmers use the most secure coding practises.

Re:wrong question

[squiggleslash]

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...!

I don't. It's the fucking Robert Mueller answer. "Gee, after being made to write this I guess the answer is... I dunno!"

Some languages are less secure than others. Saying "Ah, but the programmer..." misses the point that the part that makes one language more secure than another is their ability to manage the programmer and ensure it's harder for them to make mistakes that would create vulnerabilities.

C and PHP deserve to be condemned on that basis.

Re:wrong question

[TVmisGuided]

TBH, the Robert Mueller answer was run through a filter of arguable value before its summary was released. But then, it appears that TFA was also run through a filter, with the same result: the reader is left with more questions than answers. (See also: multiple disclaimers regarding methodology in TFA.)

Dropping political arguments, the core issue is how software is produced. Any programming or scripting language can be used to write unsafe and insecure code. All that's needed is sloppy design. How many developers are actually being taught how to design software, instead of just being taught the semantics of a given language? That's the crux of the issue.

Re:wrong question

[jma05]

> all languages are good security wise, it just depends on how you use them.

No they are not.
C is the worst high-level language security-wise because it does not even try - by design.
Several classes of expensive and disastrous errors that routinely occur in C even when experienced programmers are coding, simply don't happen in most other languages, especially languages built for safety like Ada, Eiffel, Haskell and Rust.

Re:wrong question

[lgw]

It's the fucking Robert Mueller answer.

His answer was very clear. No US person conspired with Russia. Full stop. The deep state coup failed. Now it's time for the consequences for the traitors who attempted this coup.

"You come at the king, you best not miss." - Omar

Re:wrong question

[packrat0x]

C is the worst high-level language security-wise

If you're using C as a high-level language, you're using it wrong.
It's portable assembly--two small steps above machine code.

Re:wrong question

[jma05]

You can tell that to MOST of C programmers.

And I agree with you in a sense. Most of C code should not have been written in C, but some other safer language.
Only a tiny amount of C code, code that absolutely needs to run close to metal should actually be written in it.
But the reality is that it is used as a general-purpose high-level language, which was a bad idea for quite a bit of time.

Re:wrong question

[jma05]

C is simple. It had little in terms of productivity or safety built in. That made it difficult to build "enormously sophisticated" programs with. The costs were high after the programs became larger. The use of C for Internet facing programs was a disaster. No one in their right mind would use C for web apps. Even JS, with its framework fad, is still better than C. Just commit to one framework ecosystem. Don't fall for The Paradox of Choice. Leave the latest ones for hobbyists.

C++ was created to mitigate some of the issues with C. It added some safety and productivity, but it was not enough. It stagnated for a long time, the C legacy held it back and its evolution was not managed as well as it should have. But as much as I dislike C++, I would still use a subset of it, if that was the only alternative to C. Fortunately, plenty of languages are far better alternatives to C++ for most things (most software can absorb a small performance penalty for safety and productivity).

OOP is fine. Like everything, don't overdo it.

The only reason C is not dethroned is because of dinosaurs and legacy reasons, not technical reasons. If you use basic Rust constructs, it generates the exact same machine code as C would, while providing you with much better safety and productivity than C++. C programmers won't switch because an average C programmer can't break habits. The next generation may slowly bypass C (the alternative may or may not be Rust, it is easy to get started with pointers, pushing problems downstream with an illusion of safety. But Rust borrow checker makes that upfront and is hard to grok - Go, Java or C++ are not C replacements).

A reasonable intermediate alternative is to use C code generators like Nim and Crystal. But they are band-aids.

The relationship between programmers and languages should not be in terms of loyalty in personal relationships. Languages are just tools. If programmers are incapable of solving their own problems with better tools, what legitimacy do they have in proposing to build tools for other people's problems?

So just a big advertisement on Slashdot?

[OneOfMany07]

So basically you say the numbers you're quoting are meaningless... So why quote them? Or build them in the first place?

To compare a more vulnerable language from another I'd look for vulnerabilities per lines of live code. Not perfect, but it feels closer to useful.

And perhaps number and severity of vulnerabilities per project for the same types of purpose. Web framework for web framework, etc. To highlight purpose differences and good preventative design practices.

Even better would be hours to find and fix too. But probably hard to measure, and assign time like that for open source projects.

Re:Kinda silly conclusion.- CRAP

[hcs_$reboot]

+1

ISO/IEC WG23 Programming Language Vulnerabilities

[stevel]

For some years now, an ISO/IEC working group, WG23, has been compiling lists of programming language vulnerabilities, both for specific languages and generically. The documents list for the WG is a bit of a mess, with the main link to the current draft getting a 404, but you can find links to sections on individual languages there. Some language committees are actively participating in WG23, but the C++ committee, I am told by another member, refuses to do so.

Everyone's a winner!

[phik]

...and loser. Sounds about right

Vulnerability is a feature

[freshlimesoda]

at least for some.. so what the problem?

PHP4

[Sarusa]

PHP4 was the only programming language I can remember that was so insecure there was an industrywide push (GoPHP5) to get everyone off it and onto PHP5. Even if you were a good programmer the thing was full of holes, because it was just Rasmus's little hypertext preprocessor that had gotten totally out of control.

Though *technically* it wasn't the language itself, just the interpreter - like ActionScript isn't the problem, it's the Flash player.

Re:the problem is engineering competency relative

[swillden]

There is no silver bullet

Duh. You're the only one I see here claiming there is.

The claim is just that some bullets are a little safer that others, which is absolutely true.

Good, secure, reliable and maintainable code is only produced by good, experienced and talented coders.

So you're saying there is a silver bullet: Good, experienced and talented coders. Except, you know what? That bullet is also silver-plated at best. Electroplated, even. Good, experienced and talented coders also write insecure code. They write less of it, certainly, but they're not perfect.

You know what works the best? A layered strategy:

1. Top-notch programmers
2. A security-focused development culture
3. A focus on architectural defense in depth, so one vulnerability by itself isn't enough.
4. A focus on security by design.
5. Good secure implementation choices -- which includes picking languages and tools that make insecure implementation harder.
6. Thorough design reviews, by other top-notch programmers
7. Thorough code reviews, by other top-notch programmers
8. Third-party security testing, however accomplished (contracting with security firms, open source + bug bounties, etc.)
9. Fast patching of identified vulnerabilities (because even after doing all of the above, you're still going to have vulnerabilities).

There is no silver bullet, true. Which is why all of the above are required -- and they still aren't really enough. Hiring rare, expensive programmers is not sufficient. And it's not actually necessary (though it's crucial to have access to at least some of them), and that's good because rare, expensive programmers are not scalable.

Re: the problem is engineering competency relative

[dargaud]

Also, since you can compile C with a C++ compiler, you should have MORE potential security holes in C++ than in C...

Useless comparison

[JoePete]

Consider this: PHP relies on an interpreter, written in C. Does that mean every PHP vulnerability is in fact a C one? This is just another post that seems to mix the apples and oranges of differing languages, assuming them to be equal.

Re:Your help will be much appreciated !

[Tom]

No. With a good compiler, C has minimal memory overhead and doing a complex simulation in assembler isn't high on my wish list.

Re: Hebrew

[Obfiscator]

I browse continuously at -1. I rarely find reasonable and intelligent posts there which go against cliches. And I see plenty of both cliche and non-cliche posts at higher levels. I do not doubt that some anti-cliche posts do get buried, but I also would need more evidence to believe that it happens on a wide scale.

Of course, I generally read stories a day or two late, when people are no longer moderating or commenting. Maybe comments that go against the cliches are buried quickly and then unburied by the time I make it to them.