Whether you’re looking to update existing knowledge or acquire new skills, knowing the security implications of the language in question is critical to bolstering your application against security compromises. All software and computing systems are developed with programming languages; if not properly handled, programming language vulnerabilities eventually become exploitable software vulnerabilities.
What is a programming language?
For the uninitiated, a programming language is a systematic way to write coded instructions for a computing system to understand and execute. Programming languages are used to develop software programs, scripts, and other sets of instructions for computers to execute. C, C++, PHP, SQL, and Java are popular programming languages.
What is a programming language vulnerability?
Programming language vulnerabilities are weaknesses that permit cyber attackers—either via input or due to an explicit deviance in the code—to write and insert or execute malicious instructions to gain some advantage.
The following are 7 programming languages most likely to be exploited by cyber attackers.
ColdFusion is a rapid application development (RAD) platform for building modern web applications. Designed to be expressive and powerful, ColdFusion consists of an application server framework that works with various web servers and databases to deliver dynamic content on-the-fly. In the past cyber attackers have installed data-stealing malware with ColdFusion that works as a module for Microsoft’s Internet Information Services (IIS) Web server software.
PHP is a highly popular programming language that serves as the foundation for leading open source content management systems (CMS) such as Drupal, Joomla, and WordPress. Cyber attackers have been successful in using various web scripting exploitation methods like SQL injection, XSS (Cross Site Scripting), and Source Code Revelation to compromise PHP web applications.
Microsoft’s Active Server Pages (ASP)—also known as Classic ASP—is a platform that enables scripts in web pages to be executed by a web server—usually Microsoft IIS. ASP applications’ security gaps usually involve input data that is not validated and sanitized.
4. Visual Basic
Visual Basic—also referred to as Visual Basic.NET or VB—is a major revision of earlier Microsoft VB products. The object-oriented language is prone to a exploitation tactic called buffer overflowing. For example, Microsoft Animation ActiveX control in Visual Basic 6.0 allows remote cyber attackers to run arbitrary code via an AVI video file, causing memory corruption and allocation errors. Visual Basic applications are also prone to race conditions: an undesirable situation involving a device or system attempting to perform two or more sequential operations at the same time.
C# (pronounced “C Sharp”) is a language that uses the fundamental operators and style of the C++ language while borrowing some concepts from Visual Basic. C# alleviates many common exploits such as buffer overflows and significantly improves the state of race conditions. With the .NET framework, C# allows applications to be scanned for vulnerabilities. However, C# is prone to other web application exploits, including SQL injection, packet-sniffing, session hacking, and cross-site scripting attacks.
Java remains most widely-used programming language used today; subsequently, its security weaknesses and flaws are also well-known. The language is multi-threaded (i.e., can handle multiple requests/processes) and can lead to some deadlock (two or more competing actions waiting for the other to finish) and race conditions if bad programming practices are used and exploited by cyber attackers.
The chart below summarizes each programming language’s relative performance when it comes to security policy compliance:
C and C++—two compiled languages—are the only ones out of the lot demonstrating 60% compliance with security policies. The top two losers in this regard are scripting languages PHP and ASP, demonstrating a 19% and 17% test pass rate, respectively.
In short, all programming languages and applications can be exploited—not just the aforementioned 7. Ultimately, it’s up to the software programmer to understand the nuances of the chosen language, employ secure software design methods, institute proper validation and data cleansing, and other security practices.