Which is the Most Vulnerable Programming Language?

There are various security flaws in the technology, be it in hardware like Meltdown and Spectra bugs, or the errors in programming languages security. A study was recently conducted by WhiteSourceSoftware, a security company to analyze the open source security vulnerabilities in the seven most used programming languages, especially in the last decade.

Data from National Vulnerability Database, GitHub, open-source projects issue trackers and other sources were taken on open-source vulnerabilities. C, C++ Java, JavaScript, Python, PHP, Ruby are the languages found with vulnerabilities, with C having the most security bugs. Half of the vulnerabilities reported were found in C.

C, PHP, Java: The most insecure languages

According to Google Linux kernel security engineer, Kees Cook, C is more of machine code and a fancy assembler. There are certain weaknesses, uncertain behaviors found in C which create vulnerabilities and other flaws.

WhiteSource clarified that these vulnerabilities do not mean that C is a less secure language, rather it is being used for a long time and the most number of codes are written in it. Linux kernel and OpenSSL infrastructure also have some of the codes written in C.

Making security blunders in C is very common and easy after decades of its use. The undefined behavior of C leaves several nasty possibilities open.

Whereas in C++, most high-severity vulnerabilities have been found in the last five years, as buffer error can now be found in C++ as well.
JavaScript is another very in-demand language but in the previous decade, the number of vulnerabilities has increased in it.

Automated programs like Source Code Analysis Tools have been figuring out the vulnerabilities which are not very problematic. Language that has been scoring well on security holes is Python.

Some of the Common Weakness Enumerations (CWEs) are shared among nearly every language, out of which two CWEs are featured in top three 70 percent of the languages: XSS (Cross-Site-Scripting) or CWE-79 and CWE-20 aka Input Validation.

Some of the common CWEs seen are Information Leak/ Disclosure (CWE-200). Path Traversal (CWE-22), CWE-264 Privileges, Permissions and Access Control and also Improper Access Control (CWE-284).

This does not prove that C is the least secure while Python is best. The answer to finding the best programming language cannot be derived so easily. Rather a programmer should be aware of open-source vulnerabilities, and be vigilant on the language being used.

Security is not totally based on the language, instead of how that language is used.

No comments:

Post a Comment