TechRepublic have published a lovely piece of 'click-bait' featuring
alarmist claims such as "open-source libraries are increasingly
untrustworthy" whilst trotting-out tired, old, memes and bias.
Don't panic - hold-on to your PyPi!
<<<
The worst bugs in the top programming languages
by Brandon Vigliarolo in Security on December 17, 2020, 9:32 AM PST
A heatmap shows PHP has the most flaws followed by C++, then Java, .Net,
JavaScript, and Python in Veracode's annual security report.
>>>
https://www.techrepublic.com/article/the-worst-bugs-in-the-top-programming-languages/
Does anyone think that code is 'bug free'? That's a 'filler topic' for
any columnist lacking fresh ideas and desperate to fill a publishing
deadline.
The basis is "State of Software Security v11" 'report' produced by
Veracode (https://www.veracode.com/state-of-software-security-report).
You will not be surprised to note that Veracode is in the business of
marketing test and analysis software.
Any such report is inherently useful. They serve to ensure that we do
not become complacent in our attitude to security. However, there are
more "bugs" in software than fit under the heading of 'security'.
Similarly, at times the report appears to lump-together C, C++, and C#;
whereas at others they may not; which makes it difficult to generalise
or analyse. In the same vein, infographics look nice, but what does
"Code Quality" really mean?
Another observation is that many of their 'categories' apply mainly to
the on-line world. Corporation-only applications are protected by
network defences rather than by their own devices.
A more interesting figure, which is under-reported both in the article
and within Veracode's summaries, is the period of vulnerability - how
long it takes to fix a bug after it has been reported - and preferably
with the 'danger' of the bug factored-in. Thus a bug which doesn't allow
the addition of new user-credentials is quite a different matter from
one which allows existing users to upgrade themselves to 'super-user'.
Such analysis is possibly available, but not in the summaries (above).
A quick dip into Veracode's 'vulnerability database' yielded the
following intelligence:
Top three "library artefacts" with Python as [the only] keyword:
- firefox
- thunderbird
- linux-rt
Is Python 'counted' in these cases because it is involved somewhere
within the package, because it is the majority-language used, because it
is the only language employed, or because its use contributes to most of
the faults-found?
Finally, such reports are primarily marketing tools, and thus notorious
for bias or superficial content. Veracode do not declare the range, or
limits on the range, of software they've analysed. Companies such as
Microsoft and Oracle (plus, plus, ...) do not allow just-anyone to
analyse their source-code - whereas 'open source' is available for
analysis, by definition! An easy 'target' for shallow analysis?
At this point I gave up, lacking the interest to fill-out the
contact-form, or to read the entire report.
The good news is, that of the six languages headlined in the summaries,
Python comes-off 'best' (cf .Net, C++, Java, JavaScript, and PHP).
--
Regards,
=dn
--
https://mail.python.org/mailman/listinfo/python-list
