[Editor's note] CSDN on safety programming language, as the oldest programming languages, C is still one of the largest open-source vulnerability, but PHP has the largest change, why PHP is more vulnerable to attack?
Author | Michael Hollander
Translator | meniscus, Zebian | TANG lead
Head Figure | CSDN download from Eastern IC
Exhibition | CSDN (ID: CSDNnews)
The following is the translation:
Open source vulnerability appeared again increasing.
Since 2017, we have seen a rapid increase in the number of loopholes in the open source community report. The past year was no exception, WhiteSource of "open source vulnerability" report found that in 2019 a total of 6,100 vulnerabilities were reported, and in 2018 reported 4,100 vulnerabilities.
The rate of increase between the two years up to 50% in itself can be more than the headlines. The report also analyzes the language which most open-source vulnerability What are the most common vulnerabilities in each language, as well as the results for the software development community how to build revelation applications.
2019 each language most serious open-source cross-site scripting
In the 2019 release of the open source vulnerabilities, XSS (Cross-site scripting, namely XSS) almost all the top programming language, the most common type of vulnerability.
In the programming language, the most serious is the C language buffer error occur (CWE-119), and with improper input validation (CWE-20) ranked second vulnerability.
With these data, we can see the Frequently Asked Questions related to the software development community. Specifically, many of which are due to loopholes developers do not have user can do the appropriate restrictions caused, and thus undermine the security of Web applications.
In most cases, the cause of these vulnerabilities are programmed not strict enough. These vulnerabilities suggest that attention to basic coding standards is critical to security.
Each language release of the open source vulnerability ratio
From the point of view the entire report, in the past year, these popular languages in the distribution of open source security vulnerabilities vary.
Although the C language is still the most open-source vulnerability (30%), but this is because C is one of the oldest language, we still use some of the very popular open source projects. Whether you like it or hate C language, undeniably, without a lot of code can be written in other languages compete with C.
However, what is puzzling is the biggest change in PHP, from 15% in 2009 open source vulnerability of the way up to 27% in 2019. We can not help but start thinking about two questions: First, what is the reason, PHP is more vulnerable to attack? Secondly, it is still really use PHP?
According to TIOBE Index in September 2019 of, PHP because of its ease of use and widely limited software development technology force Web designers welcome, so PHP becoming increasingly popular. The language seems to be an exchange of safety with its ease of use, and now the community more and more adept at detecting vulnerabilities, so this break in the program will soon be a problem.
WordPress and other popular applications are still using PHP, but the popularity of these applications will fall soon. In other words, the trend shows that, PHP use is declining, and now developers tend to use the more popular languages such as Python, in the past few years, the language has topped the list, but the incidence of vulnerability Python language has remained at a lower level.
Thousands of people are focused open source security
The third question is why we now see an increase in PHP vulnerabilities. Although I said the answer is not proven, but in some ways we can look at trends and open source application development.
With the advent of more open source code, the open source community has also been more and more people's attention. We also consider through the increased use of automated tools to help find more vulnerabilities, so it is found, bug fixes and release more and more. As a direct report open source security vulnerabilities very convenient by GitHub Security Lab, so the number of published vulnerabilities will continue to increase, especially with large code base but might not have been the language of scrutiny.
Since WordPress and Drupal and other open source projects extensive use of PHP, so there are a lot of PHP project is in use. Researchers are reviewing these projects, and they discovered vulnerability could there has been not reported code.
The way forward is better programming practice
In essence, the security flaw is that some bug, which may result in the application and its data destroyed. When programming errors threaten to data accessibility, integrity or confidentiality, it belongs to the field of security vulnerabilities. In most cases, these vulnerabilities are just some human error. As long as human beings continue to write code, an error occurs, there will be loopholes in our project.
So, our problem is how to manage the use of software vulnerabilities. First, and most importantly, we need to follow best practices for secure programming. Although the code is not precise enough criticism of someone's very simple, but only criticism is not enough, we also need to upgrade themselves.
In addition to following best practice programming, we also need to check the code vulnerabilities, not just prior to deployment. Dependency on building a core application, but found that there are some serious flaws, this is a very painful thing, you have to tears silently rewrite this code. If you understand the various stages of testing the software development life cycle error of importance, then you should understand that checks may be placed and user security vulnerabilities in danger equally important.
英文:Is One Programming Language More Secure Than The Rest?
Link: https: //dzone.com/articles/is-one-programming-language-more-secure
Author: Michael Hollander
Translator: meniscus
This article CSDN translation, please indicate the source of the source.
【END】
As an important part "of millions of people learn AI" is, 2020 AIProCon Developers Conference will be million by June 26 live online forms, so developers a one-stop to learn about current AI research cutting-edge technology, the core technology and applications as well as practical experience in the business case, but can also participate in a variety of exciting online developer Sharon and programming projects. Prospective involved a series of activities, live online interaction, not only can communicate with tens of thousands of developers, as well as the chance to win exclusive live gifts, coffee and even large technology wheat.
Comments Guest Book was selected, get the value of 299 yuan, "2020 AI developers million people congress" live online ticket. Come fingertips, write down what you want to say it!
Recommended Reading
☞ Microsoft's acquisition of a company is a person? Sony program to crack, hackers write novels, watching his sturdy program life!
☞ Chinese UAV "old cannon child" Memoirs
☞ 4 years 46 edition, the article read the history of Spring Cloud
☞ AI technical capabilities Jingdong Mall behind Secret - based on keywords automatically generated summary
☞ Father of the Internet confirmed the new crown, legendary: either Google vice president, NASA scientists access
☞ never been easier: you counterattack with 10 minutes Kafka!
