WhiteHat security has recently released a paper where they attempt to answer “What is the most secure programming language or development framework available?”. There are two very good responses to the paper from Michael Coates and pInvoke which are well worth the read.

Ignoring the multitude of issues with the actual methodology (scientists WhiteHat is not – if this paper gets published in a proper journal that journal has some low standards) I have issue with the actual question. What on earth do they mean by “Most Secure Development Language/Framework”? If they mean the language or framework whose runtime or libraries will most likely have attempts to break the framework or language that will already be a hard thing to measure. Do you measure the NVD numbers for vulnerabilities discoverd in the language or framework (PHP I think you lose Mr. 18,000 and counting), the severity of the vulnerabilities, the exposure window between discovery and fix, effectiveness of patches to address the issues, etc? How do you create a metric when the Linux and Windows, Firefox and IE teams (and really every internal AppSec organization in an enterprise) have been argueing over a good metric for ages with no agreement. That said, having some measure, even if not agreed on, is a useful thing because the security of an internet facing application isn’t just dependant on the code an enterprise writes, but also the 3rd party code exposed to the internet. It would be useful to know how Tomcat stacked up to WebLogic in terms of security while I am making my decision of which server runtime to use.

That would be a literal interpretation of “Most Secure Language/Framework” because you are measuring the security specifically of the runtime/framework code. Whitehat does not mean this however. What they mean is which language will produce more secure websites, which is neither an appropriate question to ask, nor one that they have answered reasonably (see two other links above). Thinking completely ideologically, a better question would be given the following languages and frameworks, which will prove to take my developers the least amount of time to implement the following product with a minumum of critical, high, and medium severity vulnerabilities? Do the languages have features that make defending against certain vulnerabilities significantly easier and less time consuming, and thus save me development costs? Do those security features come at some cost that increases development time elsewhere? Alternitively, are their design decisions in the language, or a lack of features, that have to be engineered around to make a secure site, and how much time does this cost (for example, PHP before it had prepared statements – that is an inherent handicap).

An incredibly competent and methodical C-coder could make a CGI based website just as securely as an incredibly competent and methodical C#-coder could make a MVC.net 2.0 website. The C-coder certainly has a heck of a lot more hurdles (a little something called buffer overflows, for starters) but there isn’t a technical reason that makes certain vulnerabilities absolutely unavoidable. If I am making a language decision for my enterprise the fact that it isn’t technically impossible to make a secure website in a particular language doesn’t matter to me – what matters is that it is going to take the C-coder many times as long to spit something out as the C#-coder. So the useful question isn’t “Which language/framework is more secure” but rather “Which language/framework makes it EASIER for the coder to produce a secure website, and do so quicker” and the WhiteHat paper doesn’t address this. In fact their methodology makes answering that question impossible. The only real test would be to stack up balanced teams of comparable skill at each language and have them implement the exact same website, then measure how fast they produced the site, how many vulnerabilities were initially detected by equally balanced pentesting teams, and finally how quickly it took to fix the vulnerabilities.

I don’t see that test happening soon because that is a fairly non-trivial amount of work. It also would only tell you something about that specific type of application. A website with dramatically different design considerations, or a web service, or other type of application may not have the same results. That said, in general I agree with pInvoke in his writeup above that the Microsoft stack does offer some very obvious built in advantages, from preventing CSRF (encrypted view states, to my knowledge the only framework with such a protection built in) to the trivial input encoding, that can be compared to other languages without having such a thorough experimental design.

All of that said, for any given organization the languages that are probably the most secure are the ones the developers are most comfortable writing code with. Forcing a PHP developer to write mvc.net code because you feel it is more secure is a mistake and will buy you nothing but a longer development cycle. (exception – if your coders still swear by CGI you really are better off forcing them into something invented in the past decade even if they will have a learning curve. You probably shouldnt’ have let them be so resistant to change to begin with).

~ Joshbw