.png)
In software, as in life, convenience often wins. We gravitate toward what’s easier, faster, and more flexible. In the world of programming, interpreted languages have been widely adopted for this very reason. But when deploying applications that require even a minimum level of cybersecurity, such as in high-stakes environments like operational technology (OT), those trade-offs can come at a cost.
Let’s explore compiled vs. interpreted language for critical applications, and how those differences in programming impact cybersecurity for all environments — and especially for OT and critical infrastructure.
What Is a Compiled Language? What Is an Interpreted Language?
Broadly speaking, there are three principal classes of programming languages. Let’s review assembly language, which is essentially the native language of a computer processor, as well as the “higher-level” compiled and interpreted languages.
1. Assembly Language (“Assembler”)
This is the native machine code of the computer — the true “ones and zeros” of the hardware — expressed as alphanumeric opcodes. Each processor family has its own unique assembly language. Consequently, a program written in assembler can be executed only on the specific processor for which it was written. It is powerful but completely non-portable.
2. Compiled Languages
A compiled language program, also known as "C" language, has two parts:
- Source code – human-readable instructions.
- Object code – the same instructions translated by a compiler into assembly (i.e., machine code).
Each compiled language requires its own compiler for each processor type employed, but as long as a compiler exists for the target device, the same source code can be compiled for many platforms. The object code produced is optimized, predictable, and self-contained. Once compiled, the instructions are effectively locked in; they execute exactly as written with very little opportunity for alteration.
3. Interpreted Languages
Interpreted languages achieve portability in a different way. Like compiled languages, they use human-friendly source code. But instead of translating that code ahead of time, they rely on an interpreter that performs the translation at runtime, line by line. The interpreter reads each statement, converts it into machine instructions, executes it, and proceeds to the next.
Interpreted programs are highly portable. Provided an interpreter exists on a host system, any program written in that interpreter’s language will execute. Over the past thirty years, the industry’s appetite for convenience and portability has fueled explosive growth in interpreted and hybrid languages.
The natural question follows: what impact does this trend have on cybersecurity — and on our ability to defend against increasingly sophisticated cyber attacks?
The Cybersecurity Trade-Offs of Convenience
The trend toward convenience has undeniably produced more programmers and more software, but it has also distanced developers from the machinery beneath. That distance introduces four major vulnerabilities.
Slower Code
It is patently obvious that if a source program must be translated into machine language every time that program runs, execution will be slower than a similar program that is translated once — and only once — into object code. Every translation consumes processor cycles. When that translation occurs each and every time at runtime, interpreted languages must always be slower than compiled ones.
If the code (i.e., the program) is a cybersecurity program, slower code is a significant liability. In this age of “hunter-killer” and other fast-acting malware, speed and efficiency of execution are paramount, lest the malware launch and wreak its havoc before the cybersecurity software can even detect the attack and react appropriately.
Even in non-security applications, slower code remains a disadvantage. Despite significant advances in hardware, the old adage — a variant of Boyle’s Law — that “computer resource requirements will always increase to exceed any available resource capacity” remains true. Computing resources will always be at a premium. Therefore, slower, less efficient code will always be consuming resources that could otherwise be used by mission-critical applications.
Bloated Code
When executing, interpreted languages always require the presence of the Interpreter itself — whether that be the Python Virtual Machine, the Java Virtual Machine, or another runtime environment — as well as the instructions to be translated and executed.
Even in hybrid environments such as Microsoft’s .NET, where the code is ultimately compiled at the start of execution through a Just-In-Time (JIT) compiler, the entire framework remains a constant presence layered over the basic operating system. The memory requirements for using interpreted languages exceed — and often greatly exceed — those for compiled languages.
For cybersecurity applications, bloated code is more than an inefficiency; it is a liability. Effective cybersecurity software must be as small and as efficient as possible. It must impose minimal impact on the performance of the machines it protects, otherwise its own operation will degrade or delay the system it is defending. If such software consumes too many resources, it cannot run continuously and will instead operate intermittently during low-load periods — creating enormous windows of opportunity for cybercriminals to strike.
Despite significant advances in hardware and memory availability, those resources should never be wasted. This is especially true in resource-constrained OT and edge environments, where every byte counts.
Runtime Code Compromise
Perhaps the greatest vulnerability of interpreted languages stems from the fact that they accept and execute instructions at runtime rather than relying on a fixed, immutable instruction set compiled beforehand.
That ability to accept new instructions “on the fly” provides attackers with an avenue to alter an application while it is running and inject malicious instructions without leaving a trace. If executed skillfully, these nefarious instructions leave no file-based forensic evidence behind — no “virus signature” to identify either before or after the attack.
While it is true that JIT-compiled languages (such as those running in the .NET environment) can mitigate most runtime compromises, the brief period in the device running the code between source translation and execution still presents a window of opportunity for attackers to infect the source code prior to compilation. Although hybrid approaches may be less vulnerable than purely interpreted systems, they remain far more exposed than programs written in true compiled languages, especially when compilation usually does not take place on the same device that ultimately runs the application.
Single Point Catastrophic Failure
Despite all of the care taken in creating Interpreters, the track record of the entire cyber industry is highly unenviable. “Zero day” vulnerabilities — that is, security holes — in the entire range of cyber products, hardware and software, abound. If an application is written in a compiled language and if that application has a zero day vulnerability, only that application is compromised. But if an Interpreter has a zero day vulnerability, all the applications written in that Interpreter’s language have zero day vulnerabilities.
The Cardboard Tank Problem in Cybersecurity
One of the best ways to explain this concept is through an analogy we like to call “the Cardboard Tank Problem.”
Imagine being tasked with building a tank. It must operate in hostile conditions, take hits, and keep moving. You start with the blueprints and the budget. Steel is costly and difficult to work with — heavy to transport, slow to shape, and unforgiving of mistakes. Cardboard, on the other hand, is quick, light, and easy to mold. You can train a workforce in a week, assemble hundreds in record time, and at a fraction of the cost.
On paper, the plan looks brilliant. The tanks photograph well. They meet every visual design specification and check every box on the balance sheet. Judged by appearance alone — and if not examined too closely — they are indistinguishable from the real thing.
There is only one problem. When the shooting starts, when the tanks must perform as tanks, cardboard performs exactly as expected: it burns. Under live fire, the illusion of armor vanishes, leaving nothing but wreckage.
This is the same rationale that drives much of modern software development — choosing convenience, speed, and cost over resilience. Interpreted and hybrid languages promise portability, simplicity, and rapid results. They are easier to learn, faster to deploy, and wrapped in layers of tooling that make programming feel safe and forgiving. Yet behind the curtain it is simply security theater masquerading as security.
If your system never faces real world pressure, maybe the cardboard holds. But for any application and especially critical infrastructure, when the threat comes, you don’t want a tank that was chosen for comfort. You want something that was built to defend.
Why Crytica Security Uses C Language
At Crytica Security, we do build cybersecurity tools for general-purpose desktops and cloud servers with unlimited memory and bandwidth. However, we also build tools for OT environments — industrial control systems, embedded devices, and infrastructure where every byte and millisecond matters. We build tools for all mission-critical environments, and these must be built to a higher standard.
That’s why our Rapid Detection & Alert (RDA) system is written in C language.
Our detection probes must be small enough to run on semi-isolated devices with minimal RAM and processing power. They need to scan memory in near real time without disrupting operations. They need to be resilient, precise, and fast. Our RDA system needs to do all of that without the inefficiencies of runtime interpretation and bloat, and absolutely without an Interpreter’s inherent vulnerabilities.
C language gives us control over how memory is allocated, how instructions are executed, and how the system behaves under stress. It lets us build tools that are small enough to fit, efficient enough to work, and secure enough to trust.
Could we have built RDA in an interpreted language? Possibly. But it wouldn’t have been fast enough, small enough, reliable enough, or secure enough. And in OT security, “almost enough” is the same as failure.
Don’t Defend with Cardboard Tanks
Interpreted languages have their place. They are excellent for dashboards, scripting, and applications where flexibility and speed of development are more important than security and raw performance. But they don’t belong at the heart of any critical applications. If there is a mere modicum of security required — that is, if an application has any access at all to critical data and/or critical system control — it should not be written in an interpreted language. This is especially true in OT environments where uptime, safety, and resilience are non-negotiable.
Security begins at the foundation. And that foundation includes the language your applications are built in. If you’re protecting critical infrastructure, running on constrained hardware, or detecting malware in real world scenarios, you need more than convenience.
Some developers defend the choice not to use C by pointing to so-called “safe” languages — environments filled with guardrails meant to prevent mistakes. Yet safety through limitation is not the same as security through understanding. In our next discussion, we’ll examine how the pursuit of “safe” languages evolved from a well-intentioned idea into another form of cardboard tank.
Built in C language for speed, size, and control, the RDA system is purpose-built for cybersecurity in OT and critical infrastructure. Want to see how it performs in the real world? Reach out to our team to book a demo.
.jpg)
.jpg)
.jpg)