"Worst bugs" and Python?

dn PythonList at DancesWithMice.info
Fri Dec 18 16:35:23 EST 2020 

TechRepublic have published a lovely piece of 'click-bait' featuring 
alarmist claims such as "open-source libraries are increasingly 
untrustworthy" whilst trotting-out tired, old, memes and bias.

Don't panic - hold-on to your PyPi!


<<<
The worst bugs in the top programming languages
by Brandon Vigliarolo in Security  on December 17, 2020, 9:32 AM PST
A heatmap shows PHP has the most flaws followed by C++, then Java, .Net, 
JavaScript, and Python in Veracode's annual security report.
 >>>
https://www.techrepublic.com/article/the-worst-bugs-in-the-top-programming-languages/

Does anyone think that code is 'bug free'? That's a 'filler topic' for 
any columnist lacking fresh ideas and desperate to fill a publishing 
deadline.

The basis is "State of Software Security v11" 'report' produced by 
Veracode (https://www.veracode.com/state-of-software-security-report). 
You will not be surprised to note that Veracode is in the business of 
marketing test and analysis software.

Any such report is inherently useful. They serve to ensure that we do 
not become complacent in our attitude to security. However, there are 
more "bugs" in software than fit under the heading of 'security'.

Similarly, at times the report appears to lump-together C, C++, and C#; 
whereas at others they may not; which makes it difficult to generalise 
or analyse. In the same vein, infographics look nice, but what does 
"Code Quality" really mean?

Another observation is that many of their 'categories' apply mainly to 
the on-line world. Corporation-only applications are protected by 
network defences rather than by their own devices.

A more interesting figure, which is under-reported both in the article 
and within Veracode's summaries, is the period of vulnerability - how 
long it takes to fix a bug after it has been reported - and preferably 
with the 'danger' of the bug factored-in. Thus a bug which doesn't allow 
the addition of new user-credentials is quite a different matter from 
one which allows existing users to upgrade themselves to 'super-user'. 
Such analysis is possibly available, but not in the summaries (above).

A quick dip into Veracode's 'vulnerability database' yielded the 
following intelligence:

Top three "library artefacts" with Python as [the only] keyword:
- firefox
- thunderbird
- linux-rt

Is Python 'counted' in these cases because it is involved somewhere 
within the package, because it is the majority-language used, because it 
is the only language employed, or because its use contributes to most of 
the faults-found?

Finally, such reports are primarily marketing tools, and thus notorious 
for bias or superficial content. Veracode do not declare the range, or 
limits on the range, of software they've analysed. Companies such as 
Microsoft and Oracle (plus, plus, ...) do not allow just-anyone to 
analyse their source-code - whereas 'open source' is available for 
analysis, by definition! An easy 'target' for shallow analysis?


At this point I gave up, lacking the interest to fill-out the 
contact-form, or to read the entire report.


The good news is, that of the six languages headlined in the summaries, 
Python comes-off 'best' (cf .Net, C++, Java, JavaScript, and PHP).
-- 
Regards,
=dn

More information about the Python-list mailing list