CCSK

  • 1.  Security of Programming Languages

    Posted Apr 08, 2021 10:28:00 AM
    Hello,

    I read this article: Most Secure Programming Languages - WhiteSource that talked about the security vulnerabilities of some different languages. I was curious to know what everyone else's perspective on this topic is. Are there some programming languages that are inherently more secure than others? Specifically, when talking about setting up cloud architecture, is there a language that is better to use than others, security wise?

    Thanks :)

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Security of Programming Languages

    Posted Apr 09, 2021 01:01:00 PM

    Great question @Jenna Morrison! I am also curious about this topic.

    Best,​



    ------------------------------
    Anna Campbell Schorr
    Training Content Development
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 3.  RE: Security of Programming Languages
    Best Answer

    Posted Apr 12, 2021 08:37:00 AM
    The issue is more of secure coding than which languages are better for the cloud.  (I'm also going to say defense in depth, you knew that was coming.) For example, with historic languages like C, you avoid issues of improper variable assignment because it's a strongly typed language, but you can still have issues if you improperly use printf/sprintf.

    Tools such as Go, Python, JavaScript, PHP and  even Java are predominant in creating web delivered applications. All have risks particularly when integrating externally developed components, weather libraries, or simply code segments downloaded from sources like Stack Overflow or Reddit.   The security of your Ci-Cd pipeline (or SDLC processes for old-farts like me) is the place to focus. Static and dynamic code testing has to occur rigorously, and that needs to be an automated component in the process or it's going to get skipped. Make sure that your code repositories are secure, that commits are validated, internet facing repositories require multi-factor authentication to access, and that passwords/SSH and other authentication secrets are not stored there.

    Lastly, the deployment environment has to also be secured, only install needed components, don't run with privileges, etc. When looking at cloud options, understand what that looks like. Recall a few weeks ago when Azure (I think, may have been AWS) had a vulnerability in their server-less containers as those containers were running with privileges. (Which allows for a container escape.)

    The environment supporting the language chose is at least, if not more so, important to ensure that you're delivering secure/stable applications.
    Lee

    ------------------------------
    Lee Neely CISSP, CISA,CRISC, CISM, GMOB, GPEN, GPYC, GAWN, G
    CSA BOI
    Boise ID
    ------------------------------



  • 4.  RE: Security of Programming Languages

    Posted Apr 14, 2021 06:27:00 AM
    Edited by Nicholas Grove Apr 14, 2021 06:28:23 AM
    Such an intentioned answer @Lee Neely – always enjoy reading your thoughts Lee (be it in SANS NewsBites and now, here). We appreciate you!

    ------------------------------
    CISSP, CCSP, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/
    ------------------------------



  • 5.  RE: Security of Programming Languages

    Posted Apr 14, 2021 07:36:00 AM
    Aww shucks, thanks for the kind words @Nicholas Cahall
    It's great to be here, hope I can help with the CCSK.​

    ------------------------------
    Lee Neely CISSP, CISA,CRISC, CISM, GMOB, GPEN, GPYC, GAWN, G
    CSA BOI
    Boise ID
    ------------------------------



  • 6.  RE: Security of Programming Languages

    Posted Apr 14, 2021 11:47:00 AM
    Thank you for your detailed response! This is all very helpful as I continue to learn more about cloud architecture and how all the components work together. I appreciate it!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 7.  RE: Security of Programming Languages

    Posted May 11, 2021 11:43:00 AM

    Thank you for the response @Lee Neely! I really enjoyed reading your reply and it was very thought-provoking.

    Best,​



    ------------------------------
    Anna Campbell Schorr
    Training Content Development
    Cloud Security Alliance
    [email protected]
    ------------------------------