Sometimes I was asked about which is the most secure programming language to use in real web applications.

The short answer is: no one or, better, every programming language is secure enough to be used in the real world if used with security in mind.

Lazy project managers or not-so-skilled developers are used to look for shortcuts to achieve secure software. Sometimes building a security product it is seen as the panacea solving all the issues that can arise.

This is not true. Security in computer science is a process rather than a product to buy.

You must keep in place a vulnerability management policy in order to keep your servers constantly up-to-date. You must have your software architecture documented and built with security in mind. You must not rely on your users but enforce security constraint in your code to drive them out of risky paths.

There is no firewall you can buy that makes your customer safe for a poorly written algorithm or from an unsafe cryptographic function you choose to use.

And it is completely programming language agnostic topic.

You can write secure code in Pascal, C, Ruby, Perl and even Visual Basic. TIOBE index must be taken as popularity index among developers not as report about the language you must use to write secure or robust software.

Remember that you must be comfortable with the language you will use. If you’re an experienced Delphi Senior developer, it is likely you will write good quality software in Delphi rather than Ruby or a more popular one.

So choose the technologies you are more familiar with. Go in deep with them, be curious and use some test driven development practice in order to test the code before deploying.

There is no magic bullet for software security.

The role of web frameworks

Of course my thoughts about programming language are overriden by frameworks published to help developers in writing web applications.

Rails introduces an anti-cross site request forgery token and some goodies for HTML escaping making difficult a Cross Site Scripting to be exploited successfully.

.NET introduces the VIEWSTATE that makes parameters tampering impossible by server side validation performed by the underlying application layers. Microsoft either released an anti XSS library available to everybody and that it can be used in .NET projects.

Spring introduces security feature that they can be embedded in J2EE projects.

I’m pretty sure that other frameworks introduce similiar features and if they don’t, there is the OWASP Esapi Project you can use to enhance your web application security level.