Which are the most insecure languages?

WhiteSource review of programming language security errors reveal, which languages have the most security holes. The “winner?” C. But that’s only the start of the story.

From top to bottom, technology is riddled with security errors. At the lowest level, we have hardware errors such as Intel’s Meltdown and Spectre bugs. Just above those, we have programming language security holes, and boy, do we have a lot of those!

WhiteSource, an open-source security company, recently did a study of open source security vulnerabilities in the seven most widely used languages over the past decade. To find the bugs, the company used it language security database. This contains data on open-source vulnerabilities from multiple sources such as the National Vulnerability Database (NVD), security advisories, GitHub issue trackers, and open-source projects issue trackers.

Here’s what the company found: These languages are C, Java, JavaScript, Python, Ruby, PHP, and C++. There are no surprises. 

There’s also no surprise as to which language had the most security bugs. That’s C, by a wide margin. Nearly 50 percent of all reported vulnerabilities were in C.

As  Kees “Case” Cook, Google Linux kernel security engineer, said recently: “C is a fancy assembler. It’s almost machine code.” In addition, “C comes with some worrisome baggage, undefined behaviors, and other weaknesses that lead to security flaws and vulnerable infrastructure.”

But, WhiteSource argued, “This is not to say that C is less secure than the other languages. The high number of open source vulnerabilities in C can be explained by several factors. For starters, C has been in use for longer than any of the other languages we researched and has the highest volume of written code. It is also one of the languages behind major infrastructure like OpenSSL and the Linux kernel. This winning combination of volume and centrality explains the high number of known open-source vulnerabilities in C.”

They have a point. But, having programmed and fought with C for decades now, it really is way too easy to make terrible security blunders in C. For example, C contains a great deal of undefined behavior, which leaves all kinds of nasty possibilities open.

Leave a Reply

Your email address will not be published. Required fields are marked *