Security profiles for Java, JavaScript, Python and PHP

Which programming language is the most secure? High security vulnerabilities for Java have declined since 2015

Sarah Schlothauer
© Shutterstock / Andrii Spy_k

Time to put languages to the test. Which programming languages are the most secure and which have dents in their armor? A report from WhiteSource examined security vulnerabilities in some of the most popular programming languages and looked at the trends of high security vulnerabilities over the years.

We all have a favorite programming language for one reason or another. Either you like the syntax, the tools you can use it with, or you are just plain used to it. Does a language’s security come into play when you consider this?

A report from WhiteSource examines the security vulnerabilities in popular programming languages.

What are their top picks for the most secure programming language?

Language vulnerabilities

Let’s look at the list from the report and break it down.

Total reported open source vulnerabilities per language:

  1. C (46.9%)
  2. PHP (16.7%)
  3. Java (11.4%)
  4. JavaScript (10.2%)
  5. Python (5.45%)
  6. C++ (5.23%)
  7. Ruby (4.25%)

WhiteSource pulled their info from their database which includes multiple sources including “the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source project issue trackers”.

SEE ALSO: Hunting for weak spots in Java and Python projects is easier than ever with SAP’s Vulnerability Assessment Tool

Security profiles

While at first you might be shocked by large number boasted by C, the numbers don’t tell the whole story. C is an older language and behind a lot of large projects. (C has been around sine 1972! It’s seen the rise and fall and rise again of bell-bottoms.) Overall, when you take this into consideration, it is still a secure language.

Workhorse languages like Java are used by a large percentage of the programming population, which explains its rather high position on the list. High security vulnerabilities for Java have declined since 2015. One of Java’s biggest security problems is represented by deserialization issues. Deseralization issues are typically unique to Java and aren’t found in PHP, Ruby, or Python.

JavaScript often ranks as the number one most popular programming language, so take that in mind when considering the rise in its vulnerabilities. According to the research by WhiteSource, “61% of the JS vulnerabilities are path traversal and crypto, 70% of those packages are barely used, maintained or supported, and had less than 2000 downloads in 2018”. One of the reasons people avoid downloading these package is thanks to the popularity of automated tools.

When it comes to PHP, security vulnerabilities are fairly consistent. However, it does have issues regarding SQL Injection (CWE-89) vulnerabilities. This puts a big dent in PHP’s armor. In 2017 and 2018, SQL Injection vulnerabilities were high. Lately PHP has been falling in popularity. We don’t know what its future holds; anyone have any predictions?

Now it’s Python’s time to boast. On average, it has the lowest amount of high security vulnerabilities over the past 5 years. In 2018, security vulnerabilities in the language decreased and has overall been decreasing since 2015.

Silver linings?

Don’t let the numbers fool you and think that right off the bat one language is inherently better than another. The report gives this valuable statement:

When we crunch the numbers and review the amount of reported open source vulnerabilities per programming language over time, what stands out is that there is no consistent trend for all languages apart from the fact that all languages saw a significant rise in the number of reported vulnerabilities in 2017.

WhiteSource Annual report: The state of open source vulnerabilities

Is security getting worse? Or are we just getting better at finding vulnerabilities? Don’t sound the alarm bells yet.

The report goes on to explain that automated tools have become better at finding vulnerabilities in open source components, and that is one of the big reasons why the number is rising. In fact, “the percentage of critical vulnerabilities is declining in most of the languages we researched, excluding JavaScript and PHP.”

Asking which language is “the most secure” is a tough question without an honest, definitive answer. There isn’t one kind of security and every language has its use cases.

You can download the report and further examine the data that WhiteSource compiled.

What do you think about the report?

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

1 Comment
Inline Feedbacks
View all comments
2 years ago

One good article on programming languages!