The design, structure and syntax of a programming language can lead the average programmer into a minefield of unsuspected programming errors. Those errors lead to vulnerabilities.
But which languages are the most and least secure in the end?
To answer this question, the report compiled information from WhiteSource’s database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database (NVD), security advisories, GitHub issue trackers, and popular open source projects issue trackers.
This TechRepublic article presents the list.
Check It Out: The Least Secure Programming Languages
It’s important to remember in 2019 that virtually all hardware has largely unfixable security flaws, usually due to side channels and to optimizations that prioritized performance over security and reliability. Computer systems are giant houses of cards waiting to collapse.
What this means in practice is that if you ever share resources (for example running on shared infrastructure in the cloud, or loading untrusted javascript code into a browser) you are potentially vulnerable.
Here’s the list:
1. C (47%)
2. PHP (17%)
3. Java (11%)
4. JavaScript (10%)
5. Python (5%)
6. C++ (5%)
7. Ruby (4%)
I’m not surprised that C is at the top. It’s embarrassing that we haven’t switched to memory safe compilation for software where security is more important than performance. At least Firefox is slowly switching to Rust, which is a step in the right direction.
Of course the other languages are memory-safe except for C++. PHP is interesting – if I recall correctly it doesn’t have as good modularity as Python or Ruby; and many of these languages are used for CGI scripting, which is notorious for making it easy to introduce security bugs.