Ben Laurie rips a report on software security for suggesting that C and other languages introduce software insecurity because they don’t prevent buffer overflows:
So, what’s wrong with that statement? Firstly, I think we’ve got past the idea that there’s something extra special about buffer overflows as a security issue. Yes, there are many languages that prevent them completely (e.g. PHP, amusingly), but they don’t magically produce secure programs either. Indeed, pretty much all languages used for web development are “safe” in this respect, and yet the web is a cesspit of security problems, so how did that help?
Thirdly, talking about “unsafe” languages implies that there might be “safe” ones. Which is nonsense.
Ben makes the excellent point that languages such as Java and C# eliminate buffer overflow and a couple of other risks; they don’t necessarily result in more secure application. For example one problem I regularly see in practice is failing to prevent injection attacks (SQL, OS, etc). It doesn’t matter what language you develop in if you take the user supplied data and stick whatever they tell you into a SQL query.
And BTW a SQL injection attack on an unprotected system is a whole lot easier to do than a buffer overflow attack, especially for disgruntled ex-employees that have details of the back end DB. It’s not even hard.
But this does raise the interesting question, why do we choose the languages that we do? In some cases it’s because there is a team standard. Or perhaps you join a project already in progress. In some cases its chosen because its what you know best.
But sometimes it’s done to reduce impedance mismatch. For example I have on occasion had to write ISAPI filters and Apache modules. I suppose I could try to write an Apache module in Java, but I would spend an inordinate amount of time trying to bridge between the Java and C world. I could try to do it in C#, if the module only had to run in Apache for Windows, but again that take a lot of extra work and in the end it would be unlikely to be worth it.
As another example I have had to write provisioning connectors for both MIIS and Sun IdM. I wouldn’t try to write a MIIS connector in Java and I wouldn’t try to write a Sun IdM connector in C#.
So forget about people telling you what language is “safest” or “easiest”. Choose the one that fits the job at hand. If you don’t know a language that fits the job, team with someone who does or outsource the work.
But please do scrub those SQL statement parameters.