Which programming language is the most secure? High security vulnerabilities for Java have declined since 2015
Time to put languages to the test. Which programming languages are the most secure and which have dents in their armor? A report from WhiteSource examined security vulnerabilities in some of the most popular programming languages and looked at the trends of high security vulnerabilities over the years.
We all have a favorite programming language for one reason or another. Either you like the syntax, the tools you can use it with, or you are just plain used to it. Does a language’s security come into play when you consider this?
What are their top picks for the most secure programming language?
Let’s look at the list from the report and break it down.
Total reported open source vulnerabilities per language:
- C (46.9%)
- PHP (16.7%)
- Java (11.4%)
- Python (5.45%)
- C++ (5.23%)
- Ruby (4.25%)
WhiteSource pulled their info from their database which includes multiple sources including “the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source project issue trackers”.
While at first you might be shocked by large number boasted by C, the numbers don’t tell the whole story. C is an older language and behind a lot of large projects. (C has been around sine 1972! It’s seen the rise and fall and rise again of bell-bottoms.) Overall, when you take this into consideration, it is still a secure language.
Workhorse languages like Java are used by a large percentage of the programming population, which explains its rather high position on the list. High security vulnerabilities for Java have declined since 2015. One of Java’s biggest security problems is represented by deserialization issues. Deseralization issues are typically unique to Java and aren’t found in PHP, Ruby, or Python.
When it comes to PHP, security vulnerabilities are fairly consistent. However, it does have issues regarding SQL Injection (CWE-89) vulnerabilities. This puts a big dent in PHP’s armor. In 2017 and 2018, SQL Injection vulnerabilities were high. Lately PHP has been falling in popularity. We don’t know what its future holds; anyone have any predictions?
Now it’s Python’s time to boast. On average, it has the lowest amount of high security vulnerabilities over the past 5 years. In 2018, security vulnerabilities in the language decreased and has overall been decreasing since 2015.
Don’t let the numbers fool you and think that right off the bat one language is inherently better than another. The report gives this valuable statement:
When we crunch the numbers and review the amount of reported open source vulnerabilities per programming language over time, what stands out is that there is no consistent trend for all languages apart from the fact that all languages saw a significant rise in the number of reported vulnerabilities in 2017.
WhiteSource Annual report: The state of open source vulnerabilities
Is security getting worse? Or are we just getting better at finding vulnerabilities? Don’t sound the alarm bells yet.
Asking which language is “the most secure” is a tough question without an honest, definitive answer. There isn’t one kind of security and every language has its use cases.