No Difference Between Programming Languages When It Comes to Security

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Discussion of programming languages can certainly stir up plenty of debates, including which Web programming language is most secure.


But according to the ninth installment of the WhiteHat Security Website Security Statistics Report, when it comes to security, the languages are all the same. According to Jeremiah Grossman, WhiteHat founder and CTO:


This report shows that no one language / framework is vastly more secure than another...none is so special that it stands out. The first step to improve application security is to focus less on the technology and more on creating an executive level mandate.

Key findings in the report include:


  • Empirically, programming languages/frameworks do not have similar security postures when deployed in the field. They are shown to have moderately different vulnerabilities, with different frequency of occurence, which are fixed in different amounts of time.
  • The size of a Web application's attack surface alone does not necessarily correlate to the volume and type of issues identified.
  • At an average of 44 days, SQL Injection vulnerabilities were fixed the fastest on Microsoft ASP Classic websites, just ahead of Perl at 45 days.
  • The vulnerability resolution rate for "Critical" severity Cross-Site Scripting vulnerabilites (non-persistent) in all measured languages/frameworks hovered in the 50-60 percent range.


As the Help Net Security site reported:


Until now, no other website security study has provided detailed research on how programming languages perform in the field, though it is crucial to understand since security must be prioritized as part of the software development lifecycle to be most effective. Nearly 1,700 business-critical websites were evaluated to provide organizations with insight into the relative security of the development frameworks they deploy, and the associated vulnerabilities that put them at risk.


Said Grossman:


For years the industry has been conditioned to believe that the selection of a development technology is one of the most important decisions affecting website security. However, the empirical data behind the comparison of development languages / frameworks from our latest report paints a very different picture. The bottom line is that there just isn't a large measurable difference in the security postures from language to language or framework to framework -- specifically Microsoft ASP Classic, Microsoft .NET, Java, Cold Fusion, PHP, and Perl. Sure in theory one might be significantly more secure than the others, but when deployed on the Web it's just not the case.