Technology risk assessment 2023: what programming language (versions) to use
| Sieuwert van Otterloo |
Quality
It is important for companies to choose future proof technology: if not you may have to switch technology at great cost, or run security risks. In our technology reviews, we therefore assess the risk of all modern software languages and frameworks. In this article we explain what we look at and provide a summary of the risks and required actions for modern technologies.
Risks related to technology choice
There are many programming languages and new languages are created every year. Each language offers a unique combination of features: some languages are certain technological advantages, other languages offer a large number of useful libraries, others are simply well known by many developers. Most languages also have limitations, and these can cause long term risks: choosing a language that is not suitable for the intended purpose of the system can lead to many practical problems. The typical risks to watch out for are:
- Higher than expected licensing costs, for instance when the cost increase with each additional user
- Vendor lock-in, if the technology is linked to one vendor, one operating system
- Outdated components without recent security updates. This can cause security vulnerabilities
- Not enough developers available who understand the technology or are willing to learn the technology
- Non-functional limitations that affect the users. These can be performance limitations, scalability issues or limited visual design
When reviewing project proposals or conducting Due Diligence reviews for investors, we assess which of these problems are already present or are likely to occur in the next three years. If there are any risks, we may advice an upgrade or technology change. In this article we share some of our observations on what systems we have seen on our work, to raise awareness among lead developer of the potential risks.
Most popular languages
The following is an overview of the most commonly used programming languages. All of these are safe choices:
- C# and .NET
- Python
- Javascript / Typescript
- Java
- PHP
- SWIFT (for iOS native apps)
- Kotlin (for Android native apps)
The reason is that there is safety in numbers. For most organisations it is important to choose a widely used language. None of these languages is bad per se. Rather they have many versions and variants, some of which are no longer good choices. The challenge is not just to choose the right language, but to make sure you are using the right framework and the right version of each language. Below there are specific details on what to look for for each languages.
If you are interested in tracking how the popularity of programming languages changes, there two good sources of information. PYPL (PolularitY of Programming Languages) is an open source project that analyses how often people search for language tutorials on google. Their top ten is shown below.
TIOBE, a company that makes software quality tools, publishes a ranking of programming languages called the TIOBE-index. This index is based on searches on popular search engines for engineers, programming courses and suppliers. Due to the difference in method, it is less focused on new languages but more on languages in use.
C# and .NET current versions
Microsoft has created the .NET (dotNet) framework as a way for multiple programming languages to use the same libraries, and created C# (C-sharp) as the general purpose programming language for this framework. The main risk for C-sharp and .NET is that some systems are still based on old versions. These older versions do not benefit from new features and are no longer supported with new security updates. You can find the Microsoft .NET supported versions online from Microsoft and you can see that .NET 6 and .NET 7 are the only supported versions. The .NET core versions from 1.0 to 3.1 are no longer supported and thus should not be used. Support for .NET 5 has ended in May 2022. While we are discussing Microsoft technology: Silverlight is out of support since 2021. ASP.NET MVC version 5 is in support, but version 4 is out of support. SQL server 2017 and earlier is out of mainstream support. You can use a newer version or use AzureSQL.
Python
Python originated as a clean and easy to use language for small scripts. It has become very popular, especially in education, research, data science and artificial intelligence and is for instance the language that we use in our AI and machine learning summerschool and for analysing our Utrecht Housing dataset. The current versions for python are listed in the python dev guide and you should use 3.10 or later. Versions 3.7, 3.8 and 3.9 have some limited support, and versions below 3.7 are definitely out of support. Python 3.0 was radically different from version 2.x so upgrading from version 2.x to version 3.x has been postponed by many companies, but using version 2,.7 in 2023 is definitely not a good idea.
If you use python for developing a web-based system, it is often used with a framework. The most popular frameworks are Django and Flask and those are well-supported. Other frameworks such as Zope/Grok, Tornado, Pyramid or Bottle have interesting technical features, but you should check that the open source community that supports the framework is large enough. Lesser known frameworks should only be used if you have sufficient experience with this framework in-house. In 2023 a student has completed more in-depth research into Python maintainability.
PHP
PHP was created in 1993 as a language for making web platform. It is the language in which popular frameworks WordPress, Magento and many others are created. Some systems created in PHP are very large and unstructured and therefore hard to maintain, but others are well-structured based on good use of a framework. The most popular frameworks are:
- Laravel
- Symfony
- Zend
From the examples we have seen, Laravel systems are often the most future proof since the number of lines of code is small and the Laravel frameworks solve several security risks such as session management. The current supported versions of the PHP language are 8.1 and 8.2. If you are on an older version, you should upgrade.
Javascript / Typescript
Javascript was invented as a language for scripts that run at the user’s computer in the webbrowser to make web pages interactive (‘front-end’ use). It was extended with node.js so that it can only be used at the central server (‘back-end’ use). This transformed Javascript from a supporting technology into a main programming language. Javascript is lacks typed variables, which makes it more error-prone. In a dynamically typed language the compiler is not able to check errors where you try to read a non-integer as an integer. Typescript was introduced in 2012 by Microsoft as a typed version of Javascript.
Javascript is often used in combination with many frameworks and libraries: node.js, jquery, angular, react, … The javascript landscape was so dynamic that many developers found it chaotic. There is a highly recommended ‘State of JS‘ survey done annually that charts the rise and fall of different javascript libraries and frameworks. In this survey, more 40% of developers agree with the statement “The JavaScript ecosystem is changing too fast”. Below is the 2022 State of JS ranking of front-end frameworks.
A key risk with Javascript is using out of date frameworks and libraries. Angular versions v2 to v14 are no longer under active support.
Java and Scala
Java was invented around 1995 as a language to be used inside web-browsers (in so-called applets) but quickly developed into the most popular language for desktop appliations and server side programming as well. It was one of the first languages with good portability and solid memory management. Due to its past popularity. many older, hard to maintain systems developed in Java still exists. Java itself has become less popular for new systems, and instead people are using new languages that are compatible with Java byte code. These so-called Java Virtual Machine languages are easier to read and type while still being able to use any Java library. Popular JVM languages are Scala, Kotlin (see mobile app development below), Groovy and Clojure.
Ruby on Rails
Ruby first appeared in 1995 and was nearly extinct by 2002. It was revived in 2005 by the introduction of the Rails library. Ruby on Rails is an easy to learn language for making webbased systems and has been used in many code academies and by many startups for making their first product (MVP). Initially it was not scalable and thus only recommended for prototypes, but these problems have been resolve and it is possible to use Ruby on Rails for mature, mission critical systems. The supported versions are versions 2.7 and higher.
C and C++
The C language is one of the oldest computer programming languages. It is still in popular use in cases where low level control of a computers memory is required, such as system libraries, operating systems and embedded systems. It is not recommended as a general purpose language since many people find it hard to manage memory use correctly, and it is thus easy to create memory leaks, out of bounds exceptions and other security bugs.
C++ is an extension of the C language that includes new features and libraries that do make it suitable for developing complete systems. It is however seen as harder to learn and is thus only recommended in situations where high performance and real time behaviour are really important.
Less popular technologies
Just like there are many natural languages that are effective and well-structured, but have a small user base, there are many programming language that are not widely used. Organisations can use these languages as long as they make sure they have enough expertise in-house and make sure that the libraries that they use are actively maintained. Some of the less popular languages that we have encountered are:
- Matlab
- Rust
- Go
- Fortran
- Pascal / Delphi
- Cobol
We aim to cover these in a next article.
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.