Discussion of programming languages can certainly stir up plenty of debates, including which Web programming language is most secure.
But according to the ninth installment of the WhiteHat Security Website Security Statistics Report, when it comes to security, the languages are all the same. According to Jeremiah Grossman, WhiteHat founder and CTO:
This report shows that no one language / framework is vastly more secure than another...none is so special that it stands out. The first step to improve application security is to focus less on the technology and more on creating an executive level mandate.
Key findings in the report include:
As the Help Net Security site reported:
Until now, no other website security study has provided detailed research on how programming languages perform in the field, though it is crucial to understand since security must be prioritized as part of the software development lifecycle to be most effective. Nearly 1,700 business-critical websites were evaluated to provide organizations with insight into the relative security of the development frameworks they deploy, and the associated vulnerabilities that put them at risk.
For years the industry has been conditioned to believe that the selection of a development technology is one of the most important decisions affecting website security. However, the empirical data behind the comparison of development languages / frameworks from our latest report paints a very different picture. The bottom line is that there just isn't a large measurable difference in the security postures from language to language or framework to framework -- specifically Microsoft ASP Classic, Microsoft .NET, Java, Cold Fusion, PHP, and Perl. Sure in theory one might be significantly more secure than the others, but when deployed on the Web it's just not the case.