In a world of increasing inter-connectivity, programming languages form the foundation. Did you know that the first programming language is over 100 years old and was written by a woman, Ada Lovelace? Join as us we delve into the history, evolution, and prevalance of programming languages over the years. In addition to outlining the history of languages and how each is traditionally used, you'll find information on what type of vulnerabilities are most common in programs developed in each language and which flaws are most typically fixed once discovered.
Programming languages enable users to write programs for specific computations/algorithms.
The TIOBE index: An indicator of the popularity of various languages, based upon global numbers of engineers, courses, and third-party vendors
2013 TIOBE Index
|Position Jan 2013||Position Jan 2012||Delta in Position||Programming Language||Ratings Jan 2013||Delta Jan 2012||Status|
See Source 5
The History and Influence of Programming Languages
1957 - Fortran (short for “The IBM Mathematical Formula Translating System”) General-purpose, high-level. For numeric and scientific computing (as an alternative to assembly language). Oldest programming language still used today.
1958 - Lisp (short for “List Processor”) High-level. For mathematical notation. Several new computer science topics: tree data structures, automatic storage management, dynamic typing, and self-hosting compilers
1959 - Cobol (short for "Common Business-Oriented Language) High-level. Primarily for business computing. First programming language to be mandated by the US Department of Defense.
1964 - BASIC (acronym for “Beginner’s All-purpose Symbolic Instruction Code”) General-purpose, high-level. Designed for simplicity. Popularity exploded in the mid-‘70s with home computers; early computer games were often written in Basic, including Mike Mayfield’s Star Trek.
1970 - Pascal (after French mathematician/physicist Blaise Pascal) High-level. For teaching structured programming and data structuring. Commercial versions widely used throughout the ‘80s.
1980 - Ada (After Ada Lovelace, inventor of the first programming language) High-level. Derived from Pascal. Contracted by the US Department of Defense in 1977 for developing large software systems.
1983 - C++ (formerly “C with Classes”; ++ is the increment operator in “C”) Intermediate-level, object-oriented. An extension of C, with enhancements such as classes, virtual functions, and templates.
1983 - Objective-C (object-oriented extension of “C”) General-purpose, high-level. Expanded on C, adding message-passing functionality based on Smalltalk language.
1987 - Perl (a language named "PEARL" already existed, so "Pearl" wasn't an option...) General-purpose, high-level. Created for report processing on Unix systems. Today it’s known for high power and versatility.
1991 - Python (for British comedy troupe Monty Python – tutorials, sample code, and instructions often reference them) General-purpose, high-level. Created to support a variety of programming styles and be fun to use.
1993 - Ruby (the birthstone of one of the creator's collaborator) General-purpose, high-level. A teaching language influence by Perl, Ada, Lisp, Smalltalk, etc. Designed for productive and enjoyable programming.
1995 - Java (for the amount of coffee consumed while developing the language) General-purpose, high-level. Made for an interactive TV project. Cross-platform functionality. Second most popular language (behind C).2
1995 - PHP ("Personal Home Page") Open-source, general-purpose. For building dynamic web pages. Most widely used open-source software by enterprises.
Vulnerability Distribution on First Submission by Language
|Code Quality||86%||Cytographical Issues||78%||Error Handling||87%|
|Cyptographical Issues||73%||Code Quality||75%||Buffer Overflow||75%|
|Directory Traversal||73%||Directory Traversal||65%||Buffer Management Errors||74%|
|CRLF Injection||71%||Information Leakage||61%||Numeric Errors||74%|
|Information Leakage||56%||Time and State||46%||Cyptographic Issues||66%|
|Time and State||56%||Cross-site Scripting (XSS)||43%||Directory Traversal||55%|
|Insufficient Input Validation||54%||CRLF Injection||41%||Dangerous Functions||51%|
|Cross-site Scripting (XSS)||49%||Insufficient Input Validation||34%||Time and State||44%|
|Credentials Management||44%||SQL Injection||32%||Code Quality||40%|
|API Abuse||42%||OS Command Injection||23%||Untrusted Search Path||27%|
|SQL Injection||41%||Credentials Management||19%||Format String||24%|
|Encapsulation||26%||Untrusted Search Path||18%||Race Conditions||23%|
|Session Fixation||25%||Error Handling||18%||OS Command Injection||20%|
|OS Command Injection||21%||Buffer Management Errors||6%||API Abuse||13%|
|Race Conditions||18%||Buffer Overflow||6%||Information Leakage||11%|
Takeaways from the Above Table:
- 1843: Ada Lovelace credited with first computer programming language; wrote an algorithm for the Analytical Engine (early mechanical computer)
- There are 1.2M+ computer programmers and software developers in the US
- Creator: John Backus of IBM
- Primary Uses: Supercomputing applications (i.e. weather and climate modeling, animal and plant breeding, computational science functions)
- Used By: NASA
- Creator: John McCarthy of MIT
- Primary Uses: AL development, air defense systems
- Used By: Etsy uses Clojure, a dialect of Lisp
- Creator: Short Range Committee (SRC)
- Primary Uses: Business software (esp. finance and administration systems, but also banks, insurance agencies, governments, military agencies)
- Used By: Credit cards, ATMs
- *Fun Fact Action movie The Terminator used samples of Cobol source code for the text shown in the Terminator’s vision display.
- Creator: John George Kenny and Thomas Eugene Kurtz of Dartmouth (SRC)
- Primary Uses: Home computers, simple games, programs, utilities
- Used By: Microsoft’s Altair BASIC, Apple II
- Creator: Niklaus Wirth
- Primary Uses: Teaching programming. Also - Object Pascal, a derivative, is commonly used for Windows application development
- Used By: Apple Lisa (1983), Skype
- Creator: Dennis Ritchie of Bell Labs
- Primary Uses: Cross-platform programming, system programming, Unix programming, computer game development
- Used By: Unix
- Creator: Jean Ichbiah
- Primary Uses: Dept. of Defense, banking, manufacturing, transportation, commercial aviation
- Used By: NSTAR, Reuters, NASA, subways worldwide
- Creator: Bjarne Stroustrup
- Primary Uses: Commercial application development, embedded software, server/client applications, video games
- Used By: Adobe, Google Chrome, Mozilla Firefox, Microsoft Internet Explorer
- Creator: Brad Cox and Tom Love of Stepstone
- Primary Uses: Apple programming
- Used By: Apple’s OS X and iOS operating systems
- Creator: Larry Wall of Unisys
- Primary Uses: CGI, database applications, system administration, network programming, graphics programming
- Used By: IMDb, Amazon, Priceline, Ticketmaster
- Creator: Guido Van Rossum of CWI
- Primary Uses: Web application, software development, information security
- Used By: Google, Yahoo, Spotify
- Creator: Yukihiro Matsumoto
- Primary Uses: Web application development, Ruby on Rails
- Used By: Twitter, Hulu, Groupon
- Creator: James Gosling of Microsystems
- Primary Uses: Network programming, web application development, software development, Graphical User Interface development
- Used By: Android OS/apps
- Creator: Rasmus Lerdorf
- Primary Uses: Building/maintaining dynamic web pages, server-side development
- Used By: Facebook, Wikipedia, Digg, WordPress, Joomla
- Creator: Brendan Eich of Netscape
- Primary Uses: Dynamic web development, PDF documents, web browsers, desktop widgets
- Used By: Gmail, Adobe Photoshop, Mozilla Firefox
- CRLF highly prevalent in Java but less so in .NET languages; doesn’t rank for C/C++
- SQL Injection and Cross Site Scripting fairly prevalent in Java and .NET
- Code Quality vulnerabilities very likely to occur in Java and .NET languages, less so in C/C++
- Cryptographic issues and Directory Traversal in the Top Six for each family
- Error Handling and Buffer Overflow common in C/C++ but much less in .NET; not ranked in Java
- While Certain Values are more prevalent in some languages, producing secure code ultimately depends on secure development processes rather than which language is used.
Nine Tips for Secure Programming
- Always check for OWASP Top Ten vulnerabilities
- Ensure that sensitive data is properly encoded and encrypted
- Use access control and permissions to protect resources and limit application/user capabilities
- Validate all input and output
- Write code that is capable of handling exceptions (errors) securely
- Write code that is free of hardcoded credentials or cryptographic keys
- Use passwords and session management practices to verify users
- Store data securely
- Implement comprehensive yet realistic security policies