As with other aspects of cyber security, the level of programming language security depends on what is meant by "secure".
It's true that Java has fewer identified vulnerabilities than some other commonly used languages. It's also true that some newer languages appear more secure than Java, at least at first glance.
Many of the security holes that have been found in Java are the result of its popularity. Widespread usage means that thousands of bug hunters are dedicated to finding Java language vulnerabilities, which gives Java an unfair "advantage" in this field. Likewise, the implied security of some newer languages, like Ruby, could reflect their niche usage more than their integrity.
In this article, we'll look at how the most commonly used programming languages rank in terms of security. I'll explain some factors that make one language less secure than another, and why identified vulnerabilities have increased so much in the past few years. Finally, I'll suggest a few ways Java developers can reduce vulnerabilities in code.
Bottom line: From a security perspective, vulnerabilities we know about are better than those we don't.
How secure is Java?
Recent research into the vulnerabilities of the most commonly used programming languages has come from WhiteSource, an open-source security and license-compliance platform.
Why open source?
The decision to rank open source languages is not incidental. Many proprietary languages—including proprietary implementations of open source languages—are far less transparent when it comes to vulnerabilities.
It doesn't make business sense for a private company to publish security flaws in its product, so we remain largely in the dark about the vulnerability level of those languages. Flaws we know about are far more manageable than those we don't know.
Understanding programming language security
Next, we should ask why some programming languages are more vulnerable than others. Based on the research I've cited, you might conclude that C represents an enormous security threat. But consider that C has been in use for much longer than any other language on the list.
As Stephen Turner, writing in the Journal of Technology Research, puts it, "programming languages are like genetics, in that there are a few ancestors with common traits that have proliferated."
As the oldest language on the list, C was developed in a completely different threat environment from relatively newer languages like Java and Ruby.
As WhiteSource points out, C's relative age means it has a correspondingly higher volume of written code. C is also one of the languages used for major infrastructures like OpenSSL and the Linux kernel. That combination of volume and centrality can lead to a higher number of known open source vulnerabilities.
Though Java performs well in this analysis, the authors highlight two types of vulnerability that especially impact Java. First, they note that US-CERT has long warned us about Java's vulnerability to log injection attacks, mainly through web browsers.
Such attacks can be averted through validation or authentication of submitted input, but developers are often reticent to validate input thoroughly for fear that this could make their apps less user-friendly.
Second, Java is particularly vulnerable to trust exploits that follow access-control vulnerabilities. Though certification processes have improved since 2013, many developers rely on certificates from authorities that are less than reliable. It is possible to get a certificate that is less stringent than it should be.
US-CERT, quoted in the Journal of Technology Research, warns about this open door for remote attackers executing arbitrary code.
Java's relatively low vulnerability offers an interesting contrast to C. Java was developed long after C, in an environment where threat consciousness was much higher, so it's no surprise that Java is far more secure. Likewise, while Ruby appears to be more secure than Java, this could be explained by the language's relative youth and its niche application.
Security vulnerabilities are on the rise—sort of
WhiteSource reports a "substantial rise in the number of known open source security vulnerabilities across all languages over the past two years." Though the overall number of vulnerabilities in Java has steadily decreased since 2015, the more recent spike in the number of vulnerabilities requires an explanation. We can attribute this increase to two factors.
First, there are bug bounties, a relatively new trend in which thousands of tech pros pick through a language to find vulnerabilities. These account for at least some of the increase in open source security vulnerabilities.
Additionally, it's generally assumed that threat hunters scan all languages equally, but that's not true. As one of the most commonly used languages in web development, Java is a significant target for threat hunters. In this context, Java's third-place ranking for known vulnerabilities starts to look pretty low.
Software systems are also an order of magnitude more complicated than they were 10 years ago, which is another major factor in the increasing number of vulnerabilities found in Java and other languages.
How to avoid Java security vulnerabilities
Reading the research on security vulnerabilities might make your heart beat faster, but fear not: Java developers are in a strong position when it comes to application security. With thousands of pros scanning the language for vulnerabilities, there's a good chance we know about a good proportion of the vulnerabilities in the language. That knowledge is power.
A recent JavaWorld article offered 13 rules for developing secure Java applications. You can also find plenty of articles and white papers about implementing Java securely in specific environments, such as cloud security for Java and web app security for Java. Let's consider a couple of ways to reduce vulnerabilities that you might have overlooked.
Move to a DevSecOps workflow
One way to reduce vulnerabilities in Java code is to move to a DevSecOps workflow. This type of workflow makes security a paramount concern at all stages of the development process.
As developers, we often forget that our software is used (and sometimes adapted) by all parts of the organisation we work for. It's no good hardening your web apps against intrusion if your marketing team is determined to undermine your efforts. Include all of your teams in the development process, and make sure that security is a consideration for every aspect of the project.
Evaluate workflow security
You should also take a good look at the security of your own workflow. Your web apps might be secure in themselves, but one of the fastest-growing sources of vulnerability for developers is the development system itself.
If your development system is hacked, it becomes a portal for injecting malicious code into your software. To avoid this, make sure you use a VPN to encrypt all of your internal communications. Also, be sure to implement encrypted data storage.
Although research finds that Java is less secure than some other languages, developers should take that finding with a pinch of salt. Newer and less commonly used languages might appear more secure, but that's likely because many of their vulnerabilities have not yet been discovered—or worse, they've been found but not reported.
While you should know the risks and take all reasonable precautions to secure your Java apps, don't worry too much about the rankings. As a Java developer, you at least know what you're up against.