Which Programming Language Has The Most Security Vulnerabilities?

A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Not the programming language

[hcs_$reboot]

but the programmer that uses it.

Re:Not the programming language

[hcs_$reboot]

But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).

Re: Not the programming language

[hcs_$reboot]

You can juge a programmer by the code they provide, whatever the language.

Re:Not the programming language

[Narcocide]

It is only really the default configuration of older PHP versions that make it so much more practically insecure. In reality, JavaScript should be higher up on this list, because some of it's innate behaviors are so badly designed they cause vulnerabilities that can't be mitigated in any way other than simply not using it.

Re:Not the programming language

[gweihir]

But to be fair. some languages are more prone to security holes (like PHP, especially the older versions).

No. The only thing PHP does is to make it easier for bad coders to create really simple to exploit vulnerabilities. Anybody competent will write code just as secure. It may take them longer because PHP is a really, really bad design that no good coders would use given a choice. (If you think different, then you are not a good coder. Sorry. It is completely clear and you are deluding yourself. PHP ignore fundamental principles of good engineering in many places.)

Re:Not the programming language

[hcs_$reboot]

Of course the programmer creates security holes by how they use the language. But in PHP (more the case in older versions) some "features" gives a sense of security while they actually don't. 'addslashes()' vs 'mysql_real_escape_...' for instance ; 'strpos' that returns 'false' if not found (instead of -1) so in a 'if' the programmer might misses a position at 0... Local functions are actually not local... etc... etc... All of that is Ok when you're used to the language, but they're just counter-intuitive traps that even a good programmer may fall into at the beginning.

Re:Not the programming language

[ShanghaiBill]

PHP has more than a dozen different ways to connect to a database. PHP has a long history of glomming on new APIs, but never deprecating the old, even when shockingly insecure. This is especially bad for PHP because most of PHP's user base are low IQ Wordpress extension hackers who are not qualified to be making security decisions on their own.

Re:Not the programming language

[gweihir]

I agree. PHP has traps by surprising behavior. One of the corner-stones of secure coding is the Principle of Least Surprise and PHP violates it repeatedly. Still a good coder will find these and just not trust the language anymore and be extra careful. This makes coding slow and not fun and expensive, but it can be done. An average or worse coder (the majority of them) will just fall in the traps and create insecure code. However, an average or worse coder will still screw up more than acceptable in a well-designed language.

Re: Not the programming language

[phantomfive]

Good programmers write good code in every language. A bad programmer writes bad code in all of them.

Re:Not the programming language

[Sique]

If you think that a good coder has to avoid certain languages, I have news to you: Ed Post (1982) begs to differ.

[,,,] the determined Real Programmer can write FORTRAN programs in any language.

Ironically, this is an article why Real Programmers avoid Pascal.

Re:Not the programming language

[gweihir]

Python is not nearly in the same class here.

Re:Not the programming language

[AmiMoJo]

The same is true of C programmers though, far too many of them don't understand the language and just hack stuff together to fulfil the contractual obligations and then disappear.

Contract work is a particular problems. There was a study recently, sorry I lost the link, where they put out contracts for a basic login page. Most of the developers didn't bother storing the password securely at first, then when asked managed to botch doing it. Contract work encourages minimum effort and throwing unsuitable libraries at problems, and often the person checking for completion doesn't understand the security issues.

Re:Not the programming language

[gweihir]

I have done stuff in both and I do not agree in the least. PHP is a dangerous mess. You need to understand its specific defects to code safely in it. Python is pretty well-designed but _not_ a language for beginners in OO concepts, functional coding, etc. It requires experience with the general concepts used, but not with the specific implementation in Python. As such, it does not violate the principle of least surprise.

Re: Not the programming language

[angel'o'sphere]

This is not true in C++ or FORTRAN or the others.
Yes, it is.
On the other hand, modern compilers make so much behind the scene that you *on modern hardware* hardly can say what is going on without actually looking at the assembly code. (Register renaming, operation reordering, parallel speculative execution etc.)

Re:Not the programming language

Care to explain?

Not a python programmer, but in any language I know, writing "x=y" instead of "y=x" results in silent data loss. The wrong variable is overwritten, loosing the data we wanted to copy into the other variable. And there is nothing the language/compiler/interpreter can do about that - either statement is valid, the compiler can't know we made a mistake unless one of the variables are read-only. Which usually isn't the case. And the language does not have a AI strong enough to guess what we wanted. If it had, it could write the program without us.

C, C++, assembly, pascal, scripting languages - they all fall for this. Garbage code in, garbage results out. Object orientation and read-only variables sometimes offer a little protection, but there is no help when both variables are local and writeable. Warnings about "assigning a value that never get used" catches a few of these, but often enough the value has been used so this trick cannot be relied on. (And the logic is too weak and won't catch it anyway if we're overwriting "x[i]" instead of just "x".)

Re: Not the programming language

[drewsup]

Its like the what dogs bite the most people scenario, yes Labradors are way up on the list, but only because theres so many of them compared to other breeds.

Re:Not the programming language

[ctilsie242]

I would say that everyone is right here. C, it is easy to make mistakes which cannot happen in Java or Python, like not watching where pointers are going, array out of bounds issues, and other stuff.

However, part of it is modern coding in general. The last several "Agile" places I worked at were in permanent sprints, and the job of the developers is to get a feature that marketing already sold to the customer into the product. It doesn't matter if it doesn't work, or is horrifically insecure. It is about making those deliverables in time. When one was made, marketing had two more waiting to be done, so it never ceased.

In most places, one can easily wind up having their job outsourced/offshored if they don't make deliverables. On the other hand, something horrifically insecure that causes every customer to have a backdoor to the world, the developer is insulated from that, through many layers of corporate bureaucracy, so even if there are lawsuits, the developer would likely feel no consequences.

tl;dr, blame the programmer, not the tools. However, some languages require more thought to program safely/securely than others.

Re: Not the programming language

[Drethon]

Good programmers write good code in every language. A bad programmer writes bad code in all of them.

Good programmers may not write good code in a language they don't understand yet. A great C# programmer could easily end up writing code with major memory holes in C because they don't understand the differences in memory management. A great Java programmer could end up making utter trash with sql because of the different ways of thinking about the languages.

Re:Not the programming language

[jellomizer]

Also to note what the programming language is used for.
If I am tasked to program an "Enterprise" Class application I will be using C,Java,C++ (And Javascript if there is a web front end) because these are the languages the big Execs expect to be codded in, There is still a wide hiring base for expansion, Other "Enterprise" Applications are codded in these languages, and these languages have support from many big players. Despite the fact that I normally shutter when I hear "Enterprise" class, because it is normally the worst pile code I normally see, because it has been handed off a dozen times to different programmers, without any firm architectural leadership to it (Which leads to the programmer who uses it security flaws), these applications are often very predominate on the network, and used by a lot of people, include parts that are facing on the internet. Which in short makes them naturally more vulnerable. You 10 line bash shell script may have flaws, but the fact it is just running in a cron job in a controlled environment, may mean such a flaw is not discovered.

Then we have languages such as PHP, Python, Ruby (And Javascript if there is a web front end). These are the get it done quick languages, so there there is little QA review. These are the languages where there is an itch that needs to be scratched and fixed quickly. This means there is less time architectting a good solution, so there is normally some funky code going on. These for the most part are lower in the list, because they have a smaller usage foot print, and often their exposure is also limited so may be on the DMZ, or just internal to the intranet.

Languages which were not on the list, are mostly designed for mostly client side programming, Sure you can use ASP.NET+C# to make server side stuff. But for the most part unless you are a strict Microsoft Shop you will use something else.

Re: Not the programming language

[laffer1]

I agree with your point, but I don't think you could even get any real work done in C without understanding part of the memory management. In the case of your SQL example, that's more likely to have massive performance problems than a security vulnerability.

I don't think you need experts, but you do need people who are willing to look at best practices documents when working in a new language. That are books on writing secure C and Java code as well as various papers and sites with content. There's also projects like OWASP. Even if you don't know how to prevent SQL injection in say Java, you should be able to know what to google to find out because you're familiar with that class of vulnerability in your favorite language.

Re:Not the programming language

[deKernel]

I really hope you are joking that an assignment operation can cause a loss of data because if you are, please close your editor, walk away from your computer and look for a new profession because you should NOT be writing code.

Re:Not the programming language

[coofercat]

I wonder then, if you took a random group of programmers, and gave them all a fixed amount of time to produce some sort of output in different languages, how many of them would (a) finish in time and (b) produce a secure output.

My point is, much like yours, that some languages make it easy to be reasonably secure, others make it quite hard. Any language can produce secure code, but given it's somewhere on the easy/hard spectrum, which one is the quickest to produce a secure output? Additionally, which one produces reasonably secure outputs when programmed by a reasonably competent programmer?

Ultimately - and not answered by TFA - a language is "the most secure" if ordinary programmers can use it without making security mistakes. If it either takes an age to finesse to good quality, or requires none but super-geniuses to program, then it's essentially "insecure". Unlike TFA, it has nothing to do with "number of lines of code written versus number of bugs".

Re:Not the programming language

[gweihir]

Scope in Python is complex. However, it is absolutely nothing that will surprise anybody competent. Because if you have a variable twice, with different scope, anybody competent will read up how scope works before. Also, "accidentally" reversing an assignment is a code bug and nobody with the least bit of understanding would ever blame the language for the effects.

Re:Not the programming language

[jythie]

The person is referring to the scoping rules in python not being like the scoping rules in C/Java/etc. It is only really a 'gotchya' if you have learned one set of rules and transition over to Python without learning it uses another one. But basically, in Python such a mistake can affect data that someone from a C/Java/etc background would consider out of scope but isn't.

This is the general problem with these 'unexpected behavior' type discussions, they make sense or not depending on what other languages the person is referring from and what hidden assumptions about behavior they have.

Re: Not the programming language

[jythie]

Yeah... with C, today you really only get the illusion of seeing what the assembly would look like on a toy processor from 30 years ago.

Re:Not the programming language

[Sique]

The idea that you disqualify as a coder if you code in certain languages.

I'll code in any language you throw at me if necessary. Sometimes, you have to do with the things at hand. Life is not a picnic.

Re:Not the programming language

What you just described is shitty management but your conclusion was to blame the programmer...

Re: Not the programming language

[jma05]

No they don't. This is a myth programmers tell themselves.
There are safe languages and there are unsafe languages.
Given same time, the performance of similar programmers (good or bad) will vary widely across them.
This is the entire point of programming language research.

A good programmer writing Haskell, Ada or Rust (languages that prioritize safety) code will invariably make fewer errors than he will in C (minimal safety features) - given same programming goals and time.

Re: Not the programming language

[jma05]

Why on earth would you compare an expert vs. beginner when comparing tools?

That's like saying, our car is just as safe as the rest, but only when driven by Grand Prix winners.

Do you understand comparison studies? You control for every other variable.
I specifically wrote: "the performance of *similar* programmers".
You compare Bill Atkinson like programmer performance using both safe and unsafe tools. *Separately*, you then compare mediocre programmers.
Also note that I also wrote "Given same time".

Re: Not the programming language

[SirSlud]

Anyone proficient in assembly and C can "see" the assembly that the C code will make, as they write the C code.

What a load of bullshit. Between multiple targets, compilers, and the dozens and dozens of flags and options which affect compiler output, anybody who knows what they're talking about will say never assume anything unless you look at the assembly yourself. This is why sites like https://godbolt.org/ exist. You have to be in an incredibly small, tightly controlled, limited scope environment to really know with certaintly what assembly you'll get out of C code. It's certainly not the attitude of anybody I would consider "proficient". Old, maybe.

Re: Not the programming language

[lgw]

Anyone proficient in assembly and C can "see" the assembly that the C code will make, as they write the C code. This is not true in C++ or FORTRAN or the others.

That hasn't been true for optimized C code for over a decade now. The compiler will surprise you in amazing ways in order to eek a cycle out of out-of-order instruction processing. And C++ isn't particularly mysterious once you get the hang of it.

Re:Not the programming language

[swillden]

In what language does writing "x = y" when you meant "y = x" not lose the value of x, which you intended to keep?

Everything *MUST* *BE* unit-tested for type-correctness

While I prefer static typechecking, I respect the Python view that everything must be tested for correctness anyway, and that static typechecking just lulls the programmer into thinking that less testing needs to be done than is really the case.

I will say that the worst, most opaque code I have ever encountered was written in Python, but I blame the programmer who wrote it, not the language for making it possible. Bizarre, incomprehensible, even misleading code is possible in any language, only the techniques differ.

(The code I mention created a set of pure interfaces, then instantiated them and called their methods... and they worked! There was machinery that intercepted the instantiations and chose appropriate concrete types. Essentially it was a particularly opaque dependency injection framework. Think Guice, if you're familiar with that, but with absolutely nothing in the code to indicate that dependency injection was happening.)

Re: Not the programming language

[TrekkieGod]

I agree with your point, but I don't think you could even get any real work done in C without understanding part of the memory management.

As somebody who specifically works with undergraduate students with a Java background, the first few C++ programs I get from (almost) every new intern while training them is full of "Foo* bar = new Foo();", without the accompanying deletes. The way that happens is pretty clear: they're used to instantiating instances with new, they get a compiler error that indicates they should have an asterix next to they type when they do that, so they add an asterix.

Granted, the process with C would be a bit different because malloc and free don't look like a keyword they're familiar with, but a lot of the same problems apply. Usually allocating memory in a function and returning the pointer which never gets freed. Sometimes they delete a pointer but keep references to it, and the test programs works perfectly ok because the process hasn't overwritten the memory marked for deletion by that point yet, etc.

I love C, but there's no denying that it is a lot easier to create vulnerabilities from ignorance in that language than in a garbage collected language with actual array objects that know their size instead of a head address in contiguously allocated memory, etc. Understanding that helps us train better programmers, because we can hammer that early on.

Re:Not the programming language

[dunkelfalke]

https://queue.acm.org/detail.c...

This explains it better than I ever could.

Re:Not the programming language

[LostMyBeaver]

I wrote a kernel module not long ago... in C. I was extremely diligent to make the code as clean as possible and to make the memory and error management as perfect as possible. I even added as many checks as I could. I wrote massive amounts of unit and integration tests. I configured multiple static code analysis systems to keep the code as pristine as possible... you shouldn't even be able to look at the code without causing some warning to be generated.

Then we got to procfs which is a bleeding disaster.

No one ever keeps the documentation up to date on anything in the kernel. Someone will go and write a book on the topic and before the pages of the PDF have cooled down from the press, the entire API will have changed.

Then comes sk_buff... it has an API which is such a cludge that there should be laws against using Linux for networking in secure environments. It's absolutely impossible to create a network frame in the kernel since the documentation is 100 versions out of date, there are hundreds of documents trying to describe how it should work... they're all obsolete. Trying to find a support group that can help is like trying to find the answers to the mysteries of the universe. Everywhere you go, they'll point you somewhere else and then speculate that whoever they send you to will make you start over because they changed everything recently... again.

I genuinely believe it's impossible to use SK_BUFF without making memory leaks in the kernel at this time.

Let's talk about timer_setup and setup_timer.... there's nothing wrong with a name change, but there should be a macro of some type which would allow for testing which one to use. See, kernel modules are built using a kernel module make system. There's no autoconf.

It doesn't matter how good your C code is... it's the trust issue. If have a large C codebase... for example multiple millions of lines of OS code with thousands unmaintained kernel modules written by people who shouldn't be allowed to spell "C" in gentle company, you're going to have an unmanageable cludge.

Linus kicked ass when he made git. I think the world as a whole would burn without it today. But he should attack make files next and make it so that git and make are tightly integrated. Then all the kernel modules could be checked in as modules... and a CI/CD pipeline for the kernel and its modules could be established.

Easy way to rank

[LynnwoodRooster]

The more flexible the language, the more ways you can screw up and allow a security hole.

Re:Easy way to rank

First, he has to sign the 732 page ethics and Code of Conduct agreement...

Kinda silly conclusion.

[thoth_amon]

Language design unquestionably makes certain programming errors more difficult or even impossible. This is not mere tilting at windmills: many of the classes of errors that are removed are extremely important and damaging ones. Other language features can force programmers to think through their designs more and/or make their code more clear and expressive. Some language designs can even limit and constrain the possible logic errors that a program can commit.

Obviously, naturally, a better programmer will write more secure programs, in any language. But that's not a very interesting question. The interesting question is whether two equally skilled, equally disciplined programmers will write equally secure programs when one of them is allowed by the language to do anything, and the other has many guardrails in place to prevent errors.

AMD64 assembly

[reanjr]

The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

Re:AMD64 assembly

[gweihir]

The vast majority of security vulnerabilities in the wild are running AMD64 assembly. It's by far the least secure programming language.

Especially if run on the inferior "Intel" implementation.
 

Approach, rather than language

[middlefeng]

Around 99% of vulnerability happens in parsing (general speaking, including string handling). If you make decision to take Lua as the format and take Lua parser as parser, done. Almost zero vulnerability.

Modules

[Antique+Geekmeister]

I'd list all of the public and semi-public repositories that publish modules for automatic installation and update. These include pip, ant, maven, gradle, CPAN, and gems. The Java repositories used by ant, maven, and gradle tend to have unknown binaries and unknown provenance, with no reliable way to evactly recreate the published jar files. Ruby gems have a similar issue. CPAN and pip rely on upstream source code for local deployment or compilation but are also very vulnerable to their default download of the most recent version of any module, which may or may not interact badly with other obsolete or updated modules. It's why many operating systems publish packaged binaries, and it's why the "compile as needed" operating systems cannot be stable and _cannot_ be thoroughly secured.

This is nonsense

[gweihir]

First, usage is not evenly distributed. Second, some things you can only do in one language. And third, there are different groups of coders for each language. Take C coders, for example. If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

And then you have that vulnerability is not the same as vulnerability. Simple counting metrics are basically always fundamentally flawed and give you a completely unrealistic picture. If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability that just allows you read access to some not very critical data, then the result is utterly meaningless. You also get situations were what is one vulnerability in one language counts as several in another, for example because it is a combined vulnerability in a library in one and separate simpler components in another.

Hence statistics like this one do a lot of harm by confusing the issue and help not one bit to actually see a fragment of reality. They abstracted too much away. It is like, for example, they judge whether people are good or bad according to their beer brewing skills. You will find good beer brewers that were mass-murderers, and ones that were saints. The results of such an evaluation is completely meaningless.

Re:This is nonsense

[imidan]

If both an easily usable remote vulnerability with privilege escalation is counted the same as a very hard to exploit local vulnerability...

I knowingly created a vulnerability in a single sign-on system that I implemented. I did it for expediency. But when I did, I spoke with my boss about it first, and then we all talked about it at a staff meeting to try to determine ways that it could be exploited. The two we came up with involved a bad actor who already had unrestricted physical access to a logged-in user's machine, or a bad actor who had reality-defying luck at guessing a UUID within a 24-hour period. In either case, the attacker couldn't gain access beyond the user they impersonated. It was decided that even though a vulnerability existed, successful exploitation was unlikely.

The point being, as you say, not all vulnerabilities are made equal. If you can determine the risk of exploitation, the value of the system being protected, and the cost of recovery from a bad action, and accept all of that, then maybe the cost of eliminating the vulnerability is greater than the expected cost of dealing with an exploit.

Re:This is nonsense

[Trailer+Trash]

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabilities in Linux are golden tickets, so people are looking for them all the time. Having a simple aggregate list like that is also of limited value because it doesn't tell you the nature of the exploit.

https://www.csoonline.com/arti...

Why, looky there. Ask yourself a question: How bad is this?

See, before Cisco fessed up, few people knew about this. It wouldn't have shown up on your list there. But something like this almost certainly trumps 20 regular vulnerabilities. It's nearly impossible to put something like this into open source software.

Re:the problem is engineering competency relative

[gweihir]

Very true. Also, a bad C coder will just create other vulnerabilities in Java, for example. The problem is with coders that a) have no clue how to do it and b) do not know their limits or are forced to not respect them by stupid management. It comes all down to the coder, not the language. A bad coder will produce insecure code in any language, there is _no_ way to avoid that even if many bad coders continue to believe in the existence of the One True Language (TM) that will finally make them good coders. This quasi-religious belief is built on a futile hope and hot air used by vendors and interest groups to keep it alive.

So, let me state again: There is no silver bullet. Good, secure, reliable and maintainable code is only produced by good, experienced and talented coders. These coders are rare, expensive and expect to be treated well. Not having them and trying to do it on the cheap will always be a lot more expensive in the longer run and is a severe management failure. As in any engineering project, in coding, the architects, designers and coders are the most important people, the managers merely serve to deal with management obstacles. They have zero business making tech decisions and if they do that they sabotage the success chances and result quality of the overall project.

We, as the human race, generally have this figured out in engineering, with some notable exceptions, e.g. the current mass-murder committed by Boeing management, the Brazilian dam certified to be secure by TÜV Süd, Fuckupshima, etc. But in software engineering, management is not just incompetent (as usual), it is outright demented and completely disconnected from reality. That has to change.

Re:the problem is engineering competency relative

[theweatherelectric]

its not hard to write secure c

And yet 70 percent of all security bugs are memory safety issues.

If only there was some kind of language which was designed to reduce memory safety bugs.

Re: Hebrew

This shit is really depressingly stupid. You might actually accomplish your goal of getting me to stop coming to slashdot entirely.

Since they are not listed...

[LordHighExecutioner]

...but neverthless have a very large volume of written code, from TFA we can conclude that COBOL and FORTRAN are the safest language to use.

Look at Defect Density

[ytene]

The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

But a better measure would be defect density , or the number of vulnerabilities found per thousand executable lines of code. An even better measure would then take that data and factor it using an independent vulnerability severity assessment, such as CVSS2.0 (for example).

Even this approach will leave us with concerns. The results could be massively skewed, for example, if the C++ dataset comprised deeply complex code, whilst the PHP sample (for example) were largely comprised of trivial read-only presentation formatting statements. In order to attempt to make such analysis comparable, it would be necessary to compare equivalent functions written in different languages. In this context, by "function", I am referring to code objects that deliver either identical or similar functionality, such as input validation.

Unfortunately, the variables don't end there... The OP suggests that code was drawn from a variety of sources, including GitHub, public issues trackers and public development projects... Even the most cursory glance at GitHub projects will easily demonstrate the huge variance in ability of project contributors. This means that it is entirely conceivable for the test results to be distorted by nothing other than the relative ability of contributing programmers.

This is a really nice idea and we should encourage more and better attempts at helping us to understand what it takes to write defect-free code. However, I'm not entirely convinced that this analysis considers all pertinent factors and therefore am not likely to be completely persuaded by the results.

I would also like to better understand the impact of things like good project discipline on the outcome of this analysis. For example, what are the differences between a project which has really strict internal rules for things like variable, object and function naming? How about something as innocuous as code formatting - things like indentation, line wrapping and so on? What about the toolset and platform? The IDE used? The project discipline with regard to code re-use? All of these are "tells" - indicators as to the sort of defect density we should expect. They will not be uniform across randomly sampled software projects.

In my experience [maybe 10 years developing in a 30-year career] I would say that adherence to these sorts of "programming disciplines" is actually [much] more important than the language you use. Unless you pick a turkey of a language, you should be choosing it because it's philosophy and structure, it's approach to solving problems, most closely aligns to what you are trying to achieve.

And as a mentor once told me: "Just remember, the fastest, leanest, most efficient and compact piece of code can be replaced by something which is 5% slower, takes up 5% more memory and is 5% less efficient - but which is easy to understand, debug and maintain."

Quite possibly one of the most useful pieces of advice I've ever received...

Re:Look at Defect Density

[bluefoxlucid]

Correct. In simpler terms: we need to measure the frequency of vulnerabilities per volume of code written by similarly-experienced programmers; the difficulty in teaching people to avoid those vulnerabilities; the ease in which lazy programming can create vulnerabilities; the scope of an exploit; and the stability of executing an exploit.

C#, for example, seems to be less vulnerable than Java for...some reason. I don't know why. Java seems to have failures that it shouldn't have, and C# should only be better for language specification reasons such as better-implementing interfaces and classes, or having better-documented conventions. They should both technically be equal. Someone should explore this and explain it so we can perhaps improve JVMs and CLRs based on this knowledge.

Just remember, the fastest, leanest, most efficient and compact piece of code can be replaced by something which is 5% slower, takes up 5% more memory and is 5% less efficient - but which is easy to understand, debug and maintain.

Your mentor was wrong. All of those things you do to squeeze out a bit more performance don't actually work and your code just ends up ugly and slow. Performance comes from your algorithms, and major memory savings come from using better algorithms.

Consider the B-Tree and the Radix tree. When encoding common-prefix strings, you want the Radix tree. Why? Because a B-Tree of strings will encode "/lib" pointing to "/lib/modules" pointing to "/lib/modules/4.5.1" and "/lib/modules/4.5.2" etc. Another type of trie will encode "/" -> "l" -> "i" -> "b" and so forth. The Radix tree will encode "/lib", then "modules/" and "lib", with the first pointing to a prefix of its subtrees and the second pointing to things like "c" or "g" or "ymc.so".

The very structure of the Radix tree eliminates a lot of duplicate data in memory and reduces the comparisons made. Tweaking and optimizing the Radix tree doesn't make such a gain, and your CPU and compiler will probably reach the same output code anyway. The Judy array is faster, but also much-more-complex to implement--and again is a different data structure with a different algorithm.

Various algorithms have various complexities; but when it comes to implementation, your implementation doesn't matter. The compiler will probably achieve the same SSA tree and then optimize the same output.

Re:Look at Defect Density

[lgw]

The OP includes the disclaimer that the C++ programming language "tops the list" because it has been in use for the longest and therefore includes the most lines of sample code from which to draw a conclusion...

You've confused C and C++. C was 47%. C++ was 5%. It's almost as if they aren't the same language.

Re:the problem is engineering competency relative

[swillden]

There is no silver bullet

Duh. You're the only one I see here claiming there is.

The claim is just that some bullets are a little safer that others, which is absolutely true.

Good, secure, reliable and maintainable code is only produced by good, experienced and talented coders.

So you're saying there is a silver bullet: Good, experienced and talented coders. Except, you know what? That bullet is also silver-plated at best. Electroplated, even. Good, experienced and talented coders also write insecure code. They write less of it, certainly, but they're not perfect.

You know what works the best? A layered strategy:

1. Top-notch programmers
2. A security-focused development culture
3. A focus on architectural defense in depth, so one vulnerability by itself isn't enough.
4. A focus on security by design.
5. Good secure implementation choices -- which includes picking languages and tools that make insecure implementation harder.
6. Thorough design reviews, by other top-notch programmers
7. Thorough code reviews, by other top-notch programmers
8. Third-party security testing, however accomplished (contracting with security firms, open source + bug bounties, etc.)
9. Fast patching of identified vulnerabilities (because even after doing all of the above, you're still going to have vulnerabilities).

There is no silver bullet, true. Which is why all of the above are required -- and they still aren't really enough. Hiring rare, expensive programmers is not sufficient. And it's not actually necessary (though it's crucial to have access to at least some of them), and that's good because rare, expensive programmers are not scalable.