tiero - Fotolia

Get started Bring yourself up to speed with our introductory content.

Can the Wyvern programming language improve Web app security?

A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb discusses.

I read about a new programming language called Wyvern that's being funded by the U.S. National Security Agency. What is Wyvern and how does it work? Is it a viable alternative for my developers, even if the NSA funded it?

Vulnerabilities in Web applications caused by coding errors and bugs are the bane of network administrators and security teams everywhere. Many applications are inherently weak and open to attack, negating the large amounts of time and resources spent trying to maintain robust network defenses to protect critical resources and data.

As Web and mobile applications continue to grow in complexity, the problem of insecure code that can be exploited by would-be attackers is getting worse. According to Steve McConnell, author of Code Complete, software development projects that reach 512,000 lines of code or more can see four to 100 coding errors per 1,000 lines of code. A typical Web application utilizes multiple languages such as Java, HTML, PHP, Python, CSS, third-party libraries and components and so on, and there are few developers that know or understand how to use each of them without introducing any security vulnerabilities. As a result, developers tend to use a general-purpose programming language such as PHP to write the bulk of their code and end up writing awkward and potentially insecure workarounds; SQL queries, for example, are often constructed by concatenating strings to build database commands which can be exploited for malicious purposes.

To tackle this problem and help developers write more secure code, computer scientists at Carnegie Mellon University are developing a programming language called Wyvern which aims to provide a way to safely use multiple programming languages within the same program. By enabling programmers to use the language most appropriate for each task (such as SQL for querying databases or HTML and CSS for constructing webpages), program code should be less vulnerable to attack.

Wyvern acts as a host language that enables developers to import any five programming languages for use on a software project as a native extension. Wyvern understands and identifies these sublanguages by context and allows programmers to create literals of a given type. So, for example, a SQL query type literal will be dealt with in SQL code rather than as a string of text that needs to be parsed by a special function. This introduction of type-specific languages will prevent many errors that currently go unnoticed or unflagged during checks, and will also prevent code compilation from becoming security vulnerabilities. It will go a long way to combatting injection attacks in particular. Wyvern project developers also want to add architectural control as a feature of the language to help ensure that all developers follow any required security practices.

Wyvern is funded by the NSA under its Science of Security Initiative and will be distributed under a GPLv2 license. While having the NSA behind it may be reason enough for many to not use it, if Wyvern solves part of the problem of writing secure code quickly, it may well be adopted by a broad range of developer communities.

However, note that it's not the only project to tackle the issue of meta-programming and code parsing across languages -- others include JetBrains Meta Programming System, Joose and Spoofax. Yet Wyvern's creators believe it offers the best balance between composability and expressiveness as it enables a broad range of embedded languages to be used more, or less, freely.

Wyvern isn't ready yet for general use, and many features aren't fully developed. While it may help developers make fewer mistakes, they still need to understand how to write secure code. Java, for example, provides type and memory safety, yet poorly written Java code has been responsible for plenty of data breaches.

Hopefully Wyvern won't become another source of vulnerabilities because developers don't have time to learn how to use yet another language and set of tools.

Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)

Next Steps

Dig further into Web app security and secure software development

This was last published in May 2015

Dig Deeper on Secure software development