The issue is more of secure coding than which languages are better for the cloud. (I'm also going to say defense in depth, you knew that was coming.) For example, with historic languages like C, you avoid issues of improper variable assignment because it's a strongly typed language, but you can still have issues if you improperly use printf/sprintf.
Tools such as Go, Python, JavaScript, PHP and even Java are predominant in creating web delivered applications. All have risks particularly when integrating externally developed components, weather libraries, or simply code segments downloaded from sources like Stack Overflow or Reddit. The security of your Ci-Cd pipeline (or SDLC processes for old-farts like me) is the place to focus. Static and dynamic code testing has to occur rigorously, and that needs to be an automated component in the process or it's going to get skipped. Make sure that your code repositories are secure, that commits are validated, internet facing repositories require multi-factor authentication to access, and that passwords/SSH and other authentication secrets are not stored there.
Lastly, the deployment environment has to also be secured, only install needed components, don't run with privileges, etc. When looking at cloud options, understand what that looks like. Recall a few weeks ago when Azure (I think, may have been AWS) had a vulnerability in their server-less containers as those containers were running with privileges. (Which allows for a container escape.)
The environment supporting the language chose is at least, if not more so, important to ensure that you're delivering secure/stable applications.
Lee
------------------------------
Lee Neely CISSP, CISA,CRISC, CISM, GMOB, GPEN, GPYC, GAWN, G
CSA BOI
Boise ID
------------------------------
Original Message:
Sent: Apr 08, 2021 10:27:46 AM
From: Jenna Morrison
Subject: Security of Programming Languages
Hello,
I read this article: Most Secure Programming Languages - WhiteSource that talked about the security vulnerabilities of some different languages. I was curious to know what everyone else's perspective on this topic is. Are there some programming languages that are inherently more secure than others? Specifically, when talking about setting up cloud architecture, is there a language that is better to use than others, security wise?
Thanks :)
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------