As with other aspects of cybersecurity, the level of programming language security depends on what we mean by "secure." It's true that Java has fewer identified vulnerabilities than some other commonly used languages. It's also true that some newer languages appear more secure than Java, at least at first glance.
Many of the security holes that have been found in Java are the result of its popularity. Widespread usage means that thousands of bug hunters are dedicated to finding Java language vulnerabilities, which gives Java an unfair "advantage" in this field. Likewise, the implied security of some newer languages, like Ruby, could reflect their niche usage more than their integrity.
[ Also on JavaWorld: There are some signs that Java developers are getting better at security.]
In this article, we'll look at how the most commonly used programming languages rank in terms of security. I'll explain some factors that make one language less secure than another, and why identified vulnerabilities have increased so much in the past few years. Finally, I'll suggest a few ways Java developers can reduce vulnerabilities in code.
Bottom line: From a security perspective, vulnerabilities we know about are better than those we don't.
How secure is Java?
Recent research into the vulnerabilities of the most commonly used programming languages has come from WhiteSource, an open-source security and license-compliance platform. WhiteSource looked at seven of the most popular open-source programming languages: C, Java, JavaScript, Python, Ruby, PHP, and C++. Analysts then used a variety of sources to rank the languages by their number of identified vulnerabilities.
Based on the WhiteSource study, the most vulnerable programming language by far was C, with 47% of all reported vulnerabilities. That ranking will not surprise experienced programmers, but other results might. PHP came in a distant second, with 17%, followed by Java with 12%, and JavaScript rounding out the top four with 11%. Following these "leaders" were Python, C++, and Ruby.
Understanding programming language security
Next, we should ask why some programming languages are more vulnerable than others. Based on the research I've cited, you might conclude that C represents an enormous security threat. But consider that C has been in use for much longer than any other language on the list. As Stephen Turner, writing in the Journal of Technology Research, puts it, "programming languages are like genetics, in that there are a few ancestors with common traits that have proliferated."
As the oldest language on the list, C was developed in a completely different threat environment from relatively newer languages like Java and Ruby. As WhiteSource points out, C's relative age means it has a correspondingly higher volume of written code. C is also one of the languages used for major infrastructures like OpenSSL and the Linux kernel. That combination of volume and centrality can lead to a higher number of known open source vulnerabilities.
Though Java performs well in this analysis, the authors highlight two types of vulnerability that especially impact Java. First, they note that US-CERT has long warned us about Java's vulnerability to log injection attacks, mainly through web browsers. Such attacks can be averted through validation or authentication of submitted input, but developers are often reticent to validate input thoroughly for fear that this could make their apps less user-friendly.
Second, Java is particularly vulnerable to trust exploits that follow access-control vulnerabilities. Though certification processes have improved since 2013, many developers rely on certificates from authorities that are less than reliable. It is possible to get a certificate that is less stringent than it should be. US-CERT, quoted in the Journal of Technology Research, warns about this open door for remote attackers executing arbitrary code.
Java's relatively low vulnerability offers an interesting contrast to C. Java was developed long after C, in an environment where threat consciousness was much higher, so it's no surprise that Java is far more secure. Likewise, while Ruby appears to be more secure than Java, this could be explained by the language's relative youth and its niche application.
Security vulnerabilities are on the rise—sort of
WhiteSource reports a "substantial rise in the number of known open source security vulnerabilities across all languages over the past two years." Though the overall number of vulnerabilities in Java has steadily decreased since 2015, the more recent spike in the number of vulnerabilities requires an explanation. We can attribute this increase to two factors.
First, there are bug bounties, a relatively new trend in which thousands of tech pros pick through a language to find vulnerabilities. These account for at least some of the increase in open source security vulnerabilities. Additionally, it's generally assumed that threat hunters scan all languages equally, but that's not true. As one of the most commonly used languages in web development, Java is a significant target for threat hunters. In this context, Java's third-place ranking for known vulnerabilities starts to look pretty low.
Software systems are also an order of magnitude more complicated than they were 10 years ago, which is another major factor in the increasing number of vulnerabilities found in Java and other languages. In a world where smartphone apps can be a source of infection, and where every company must have a JavaScript-enabled website, it's no surprise that the number of website vulnerabilities has increased exponentially. Add to this the long-term shortage of cybersecurity professionals, and things start to look grim for the future of cybersecurity.
How to avoid Java security vulnerabilities
Reading the research on security vulnerabilities might make your heart beat faster, but fear not: Java developers are in a strong position when it comes to application security. With thousands of pros scanning the language for vulnerabilities, there's a good chance we know about a good proportion of the vulnerabilities in the language. That knowledge is power.
A recent JavaWorld article offered 13 rules for developing secure Java applications. You can also find plenty of articles and white papers about implementing Java securely in specific environments, such as cloud security for Java and web app security for Java. Let's consider a couple of ways to reduce vulnerabilities that you might have overlooked.
Move to a DevSecOps workflow
One way to reduce vulnerabilities in Java code is to move to a DevSecOps workflow. This type of workflow makes security a paramount concern at all stages of the development process. As developers, we often forget that our software is used (and sometimes adapted) by all parts of the organization we work for. It's no good hardening your web apps against intrusion if your marketing team is determined to undermine your efforts. Include all of your teams in the development process, and make sure that security is a consideration for every aspect of the project.
Evaluate workflow security
You should also take a good look at the security of your own workflow. Your web apps might be secure in themselves, but one of the fastest-growing sources of vulnerability for developers is the development system itself. If your development system is hacked, it becomes a portal for injecting malicious code into your software. To avoid this, make sure you use a VPN to encrypt all of your internal communications. Also, be sure to implement encrypted data storage.
Conclusion
Although research finds that Java is less secure than some other languages, developers should take that finding with a pinch of salt. Newer and less commonly used languages might appear more secure, but that's likely because many of their vulnerabilities have not yet been discovered—or worse, they've been found but not reported.
While you should know the risks and take all reasonable precautions to secure your Java apps, don't worry too much about the rankings. As a Java developer, you at least know what you're up against.
This story, "How secure is Java compared to other languages?" was originally published by JavaWorld.