Programming Language Choice Has Little Effect on Website Security

By   ISBuzz Team
Writer , Information Security Buzz | Apr 17, 2014 04:49 am PST

WhiteHat Security recently released a report investigating whether one’s choice of programming languages affects the level of a website’s security.

30,000 websites under the management of WhiteHat Sentinel were tested to determine to what attacks they are generally prone, how frequently and for what duration, and how they compare with websites coded in other languages.

Researchers at WhiteHat Security used URL file extension and HTTP response body headers to classify each website’s language. They then wrote scripts to extract data pieces of each website, including industry, class, and vulnerability status, which were then stored in a database and extracted again via SQL commands and Perl calls. These data points were then validated and cleaned using R.

The report presents several important findings, including:

– .Net accounted for 38.5% of the websites surveyed, followed by Java at 25% and Active Server Pages (ASP) at 16%.

– .Net, Java, and ASP all had the highest numbers of vulnerabilities per “slot,” or the boundaries of a web application. There was no significant difference between them, with all three averaging around 11%.

– The most “secure” also had no significant difference: Perl, Ruby, and ColdFusion all rounded out at around 6%.

The programming languages did differ in some ways. The average number of days during which vulnerabilities were open differed significantly, with .Net averaging nearly a year, whereas Ruby numbered only 3.

Additionally, some languages boasted the highest percentage of certain types of attacks. ColdFusion, for example, exhibited the highest number of functionality vulnerabilities (6%) and SQLi (8%), but these are offset by the language’s high remediation rate of 100% and 96%, respectively.

However, with a 5% difference dividing the “least” secure from the “most” secure, the researchers at WhiteHat Security find that programming language has little effect on website security with regards to the percentage of vulnerabilities or the remediation rates needed to fix these flaws.

In light of this finding, businesses and corporations should select a language with which their security personnel feel sufficiently comfortable to conduct code reviews of web services on an ongoing basis. Also, depending on the scale of the desired application security program, each organization should choose a governance framework that suits their needs.

David Bisson | @DMBisson

Dave BissonBio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation. He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern. Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy