Over the last couple of weeks I’ve been putting a lot of time into our 9th WhiteHat Website Security Statistic Report, “Which Web programming languages are most secure?” Full report is available (reg. required).
I always love doing this report to see how Web security is changing, but this time around it was even more exciting. For years the industry has been conditioned to believe that the selection of a development technology is one of the most important decisions affecting website security. However, the empirical data behind the comparison of development languages / frameworks from our latest report paints a very different picture. The bottom-line is that there just isn't a large measurable difference in the security postures from language to language or framework to framework -- specifically Microsoft ASP Classic, Microsoft .NET, Java, Cold Fusion, PHP, and Perl. Sure in theory one might be significantly more secure than the others, but when deployed on the Web it's just not the case.
IntroductionsThis type of data is likely to stir up emotion within the industry because many people are extremely attached to their development language / frameworks. They have strong convictions about the perceived security performance and opinions on why their choice is the best for others too. At the end of the day, this report shows that no one language / framework is vastly more secure than another...none are so special that they stand out. The first step to improve application security is to focus less on the technology and more on creating an executive level mandate. Unless we bridge the gap between perception vs. reality, the problem will never be properly addressed.
"Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?”
Clearly, familiarity with a specific product, whether it is designed to be secure- by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial & open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate.
As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites?"