20
Are some languages safer than others? Or does this not depend on the language but on the programmer?
The language in which a program is programmed interferes with its security, regardless of the programmer?
20
Are some languages safer than others? Or does this not depend on the language but on the programmer?
The language in which a program is programmed interferes with its security, regardless of the programmer?
18
Programming languages are not inherently safe or insecure, they are a means of expression. Who has to do something safe is the programmer.
Some avoid certain types of problems that cause more insecurities, others facilitate the error. Some languages may use libraries that may have security holes, but this is rare. Especially it is rare to have the fault in there. What is most common is for one to misuse what has a harmful potential. Library is not the language. Not even the implementation it is at most the implementation of a complement that is specified that the language must have.
For example, C has standard library functions that clearly can exploit a buffer overflow. This in itself is not a security problem, the way you use a function like this is that it’s insecure. Ultimately it is unsafe to use it, but not that it is unsafe. There are ways to use it without incurring security problems.
PHP, just to quote an example, is full of unsafe functions for use. Not that they cause security problems, at least not most, but the programmer has difficulty using them in a safe way. They encourage insecurity. But if you know what you’re doing, you can use it. Including mysql_*
which are considered obsolete.
So of course language can indirectly interfere with security, it’s just not determining.
Of course there may be some specific language, probably mainstream I might have a security problem of my own, but that’s the joke. It’s obvious that, hypothetically, someone can write a language that you write a if
and it opens a door to a hacker possibly log in as administrator. Still it’s the problem of the programmer who made the language and probably who chose to use it.
What may have more in a language is the implementation of it (the compiler) generating a security problem, but it still falls into what I said before. This is probably a transient thing. You won’t see in the specification of a serious language that it should do something unsafe.
To understand this you must understand What characterizes a programming language? and even How a programming language is developed?
As for the last paragraph, it is interesting to separate language of language implementation. Security problems are usually in the implementation.
PHP has some unsafe functions to maintain compatibility see mysql_*
;) haha.
@Pabloalmeida added, thank you.
@rray but there is library and yet, there is no insecurity in these functions. Zero. The way people use this is that it is usually insecure. But you can use them without risk.
great @bigown explanation , I appreciate and believe will serve as help to many here at Stack
8
In contrast to Maniero’s response I say that languages are inherently safe or insecure in their context of use (say OS Programming or web Programming) and they are one of the determining factors in the security of their application. This very focused mentality in which "the programmer has to know how to do it right", that "he is responsible" is a life lag. The programmer is human and he is flawed, he can and will eventually make mistakes, unless the language he uses to express his programs does not allow him to make the mistake.
See for example how you have tons of security holes always popping up in operating systems and browsers, which are usually written in C/C++, due to simple things like writing data outside the allocated boundaries of an array. You can say that it was the developers who did wrong, that the blame for the insecurity is theirs and blah, but in the end it doesn’t change the fact that developing something like an operating system in C or C++ is unsafe, the language will allow the existence of certain security loopholes and inevitably these will appear in the code, and this could be avoided by the language itself. Take for example Rust, a low-level language developed by Mozilla; one of the main reasons for its creation was security, in Rust you eliminate a multitude of memory-related security loopholes, such loopholes being common in C/C++ code, and language itself solves this problem by being safe in memory manipulation.
Another higher-level example is web programming, think of the classic security problem of this context, SQL Injection. It is a divine command of web programming that you must escape your dice before playing them on darlings which are sent to the database (or use Prepared statements), yet it’s not hard to see people posting codes that don’t do that right here on oveflow stack. This is the fault of the programmer’s lack of knowledge (or sloppiness), but is it the language too? Yes. Nothing prevents you from designing a web language in which it is impossible to pass data not escaped to darlings of database, and then done, you have a language that is safe against SQL Injection, the problem no longer exists regardless of the programmer’s action.
So to wrap up: not all security issues are affected by the language used, you put your server password in a code that the user can inspect will be insecure in any language of the universe, however generally speaking the language in which you develop a software interferes directly in the security of the same, regardless of the programmer.
It seems someone downvoted both answers, I was curious about the third point of view.
It was probably the same person who downvoted the question... I liked the question (and both answers), but I confess that I found it a little too wide, I even tried to give my own answer but I could not rsrs!
@Brunorb great complement, well detailed, thank you for sharing your knowledge with us all
0
"Both".
If the language exposes certain things to the attack, such as the possibility of null pointers being referenced and giving segfaults, then the language is insecure. It even requires you to police yourself not to fall into this gap!
It’s like living in a house. The gate is perhaps the least safe part, and you will always have to pay more attention to it: if you never forget to keep it locked, use a good lock and only open it when you go through it, well, no problem! But, if you wear a bad padlock, or in an oversight forget to lock up, well, hope the thieves don’t notice!
Or who knows you do not delegate the care of this gate to third parties, as in a gated community? Maybe you are interested in this tradeoff...
Maybe we realize that by looking at certain extremes. For example, the Assembly language inherently exposes the whole machine to the programmer and is absurdly less secure, while Python abstracts the whole machine and is much safer.
Browser other questions tagged security-guard language-independent
You are not signed in. Login or sign up in order to post.
High-level languages are usually safer for both the developer due to the Garbage Collectors and other facilities to avoid crashes, Leaks and application exceptions, among other advantages, how safe for users who will go through additional security layers. The . Net framework languages are a good example...
– Sérgio S. Filho
Purely theoretical answer: no, for if a language Turing-complete
A
was somehow "less secure" than another languageB
, would it be enough for you to write inA
an interpreter forB
and then program inB
, to achieve a similar level of "security". Therefore, every language [Turing-complete] is equally "secure". (Note: I am intentionally avoiding defining what "security" means, since this is a very contextual topic, can not answer in the abstract without the answer become too broad)– mgibsonbr
@mgibsonbr excellent "answer" :) Confirming what I said with much more property and concision :P
– Maniero