As with other aspects of cybersecurity, the level of programming language security depends on what we mean by “secure.” It’s true that Java has fewer identified vulnerabilities than some other commonly used languages. It’s also true that some newer languages appear more secure than Java, at least at first glance.
Many of the security holes that have been found in Java are the result of its popularity. Widespread usage means that thousands of bug hunters are dedicated to finding Java language vulnerabilities, which gives Java an unfair “advantage” in this field. Likewise, the implied security of some newer languages, like Ruby, could reflect their niche usage more than their integrity.
[ Also on JavaWorld: There are some signs that Java developers are .]
In this article, we’ll look at how the most commonly used programming languages rank in terms of security. I’ll explain some factors that make one language less secure than another, and why identified vulnerabilities have increased so much in the past few years. Finally, I’ll suggest a few ways Java developers can reduce vulnerabilities in code.
Bottom line: From a security perspective, vulnerabilities we know about are better than those we don’t.
How secure is Java?
, puts it, “programming languages are like genetics, in that there are a few ancestors with common traits that have proliferated.”
, warns about this open door for remote attackers executing arbitrary code.
Java’s relatively low vulnerability offers an interesting contrast to C. Java was developed long after C, in an environment where threat consciousness was much higher, so it’s no surprise that Java is far more secure. Likewise, while Ruby appears to be more secure than Java, this could be explained by the language’s relative youth and its niche application.
, a relatively new trend in which thousands of tech pros pick through a language to find vulnerabilities. These account for at least some of the increase in open source security vulnerabilities. Additionally, it’s that threat hunters scan all languages equally, but that’s not true. As one of the most commonly used languages in web development, Java is a significant target for threat hunters. In this context, Java’s third-place ranking for known vulnerabilities starts to look pretty low.
How to avoid Java security vulnerabilities
Reading the research on security vulnerabilities might make your heart beat faster, but fear not: Java developers are in a strong position when it comes to application security. With thousands of pros scanning the language for vulnerabilities, there’s a good chance we know about a good proportion of the vulnerabilities in the language. That knowledge is power.
A recent JavaWorld article offered . You can also find plenty of articles and white papers about implementing Java securely in specific environments, such as and . Let’s consider a couple of ways to reduce vulnerabilities that you might have overlooked.
Move to a DevSecOps workflow
One way to reduce vulnerabilities in Java code is to . This type of workflow makes security a paramount concern at all stages of the development process. As developers, we often forget that our software is used (and sometimes adapted) by all parts of the organization we work for. It’s no good hardening your web apps against intrusion if your marketing team is determined to undermine your efforts. Include all of your teams in the development process, and make sure that security is a consideration for every aspect of the project.
Evaluate workflow security
You should also take a good look at. Your web apps might be secure in themselves, but one of the fastest-growing sources of vulnerability for developers is the development system itself. If your development system is hacked, it becomes a portal for injecting malicious code into your software. To avoid this, make sure you . Also, be sure to implement encrypted data storage.
Although research finds that Java is less secure than some other languages, developers should take that finding with a pinch of salt. Newer and less commonly used languages might appear more secure, but that’s likely because many of their vulnerabilities have not yet been discovered—or worse, they’ve been found but not reported.
While you should know the risks and take all reasonable precautions to secure your Java apps, don’t worry too much about the rankings. As a Java developer, you at least know what you’re up against.
This story, “How secure is Java compared to other languages?” was originally published by
Copyright © 2020 IDG Communications, Inc.