Every developer has their preferred programming languages in which they like to code. Generally, there is no such term as the most secured language, but one can specify the security of a language based on some specific terms.
This latest survey by WhiteSource examined the open source security vulnerabilities of the most used and popular programming languages.
How To Measure Security
While measuring security performance in a coding language, it is crucial to take into account various factors for checking the vulnerabilities. For instances, Buffer Flow vulnerability where the program reads from outside the bounds of allocated memory which can allow access to sensitive information, introduce incorrect behavior or may cause the program to crash, Common Weakness Enumeration (CWE) is a list of software weakness types which is created to serve as a common language for describing software security, provides a common baseline standard for weakness identification, mitigation, etc., Heartbleed Bug, a serious vulnerability in the popular OpenSSL cryptographic software library which allows stealing the protected information.
According to the report from the knowledge base, C out of the seven languages has the highest number of vulnerabilities with 50% since it has been in use for a much longer duration than most other languages. Each language has its own highs and lows vulnerability-wise. Basically, the popular a language is, the more vulnerable it is.
Fig: Graph of vulnerabilities over time per year from 2009-2018
The most common CWE’s across most programming languages found are
- Cross-Site-Scripting (XSS), also known as CWE-79
- Input Validation, also known as CWE-20
- Permissions, Privileges and Access Control, also known as CWE-264
- Information Leak or Disclosure, also known as CWE-200
Comparing the Vulnerabilities For Each Language
Vulnerabilities in C account for over 50% of all reported open source vulnerabilities since 2019, it also has a relatively low severity vulnerability reaching 7% in 2018. Not only vulnerabilities, but it also has a high number of memory corruption issues such as Buffer Errors (CWE-119). The high severity vulnerabilities in the past 5 years are 26% on average, with a significant spike in 2017.
The vulnerabilities in Java are consistently rising since 2016. In fact, the vulnerabilities have nearly doubled in 2018 as compared to 2017. But, the high severity vulnerabilities in the past 5 years is 19% on average but it is consistently declining since 2015.
In this language, the number of vulnerabilities has been the second highest of all the seven languages with the highest increase in vulnerabilities in 2017. It is the only language with SQL Injection (CWE-89) and it had been rising in 2017 and 2018. Also, the Cross-Site scripting (CWE-79) is the most common vulnerability in this language. The high severity vulnerabilities over the past 5 years are 16% on average, consistent excluding a sharp decline in 2017.
This popular language reached a peak in vulnerabilities in the year 2015 but have been decreasing consistently since then. It has suffered from a relatively small percentage of high vulnerabilities until 2017. The type of vulnerabilities that dominate Python are Input Validation (CWE-20, Permissions, Privileges and Access Control (CWE-264), Cross-Site Scripting (CWE-79) and Information Leak/ Disclosure (CWE-200). The high severity vulnerabilities in the past 5 years are 15% on average, the lowest among the other languages.
This language suffers the same CWE as C language. The vulnerabilities found in C++ are Buffer Errors (CWE-119) and Validation Issues (CWE-20). The high severity vulnerabilities in the past 5 years are 36% on average which is the highest of all the languages.
Of all the seven languages, Ruby has the least amount of security vulnerabilities. In terms of CWEs, the most common CWe is XSS vulnerabilities, the other CWEs found are CWE-20, CWE-200, CWE-264 and CWE 284. The high severity vulnerabilities in the past 5 years are 19% on average which can be said as quite stable aside to a peak in 2017.
Besides searching for which is the most secure programming language, a developer must focus on how to code in the most secure way in their own preferable language.