In its recently published State of Software Security Report 2015, Veracode has analyzed over 1.5 trillion lines of code used in hundreds of thousands of web and mobile applications and come up with the following key findings:
- Applications built with web scripting languages have a way higher vulnerability rate in such classes as cross-site scripting and SQL injection than .NET and Java-based applications;
- All mobile applications have a much higher rate of cryptographic issues compared to web apps: 87% for Android and 80% for iOS;
- Applications written in different programming languages have differing OWASP Top 10 pass rates, i.e. many software development teams don't consider statistical security risks for apps written in a particular language when embedding security design in UX architectures, and they should!
- Companies that leverage eLearning for their software development teams see a 30% improvement in vulnerabilities fix rate compared to those that don't provide software security training to their IT talent
Programming Languages Distribution Across Analyzed Projects
All programming languages presented above have been tested through the Open Web Application Security Project (OWASP) Top 10 that is referenced by industry standards such as PCI-DSS and sets forth security standards for online payment processing systems. The result is pretty embarrassing: C/C++ (compiled language) is the only language that demonstrated 60% compliance with the OWASP Top 10. Top 3 losers are scripting languages ColdFusion, PHP and ASP that demonstrated 21%, 19% and 17% test pass rate accordingly (see below).
Policy Compliance By Programming Languages
Further, the Veracode survey unveils the two important differences in the number of applications affected by the major vulnerabilities depending on the chosen language:
1) Language design
Some languages such as Java and .NET have been originally designed to avoid certain vulnerability classes. By removing the need / ability for developer to directly allocate memory, such languages are able to avoid most of vulnerabilities resulting from buffer overflows. Likewise, the default controls behaviors of cross-site scripting languages such as ASP.NET help avoid vulnerability issues endemic in other web app programming environments.
2) OS environment
Some data leakage categories are most acute in mobile environments which combine huge volumes of data with a variety of always-on networking capabilities (see details below).
Top Vulnerability Categories By Programming Language
The survey also finds that web vulnerabilities like cross-site scripting and SQL injection are more prevalent in web scripting based applications (PHP, ColdFusion and ASP) than in compiled based applications (Java, .NET). This is attributed to the difference in the feature sets of each programming language. Also, there're more security APIs built into Java and .NET compared to what's available for web scripting languages, although ColdFusion shows some improvements in this regard.
According to some estimates, around 75 million websites are based on the WordPress platform, while another few million use Joomla or Drupal globally. All of these CMS platforms are PHP-based which poses some serious concerns about the global Internet security. So, if you're using or planning to use any of these CMS systems for your websites, do plan your deployments very carefully and use the highest level of protection available in system settings.
Another big area of concerns highlighted by the survey is the prevalence of cryptographic issues in iOS and Android programming languages. Top 3 cryptographic vulnerability types by percentage of the affected applications are: insufficient entropy, improper validation of certificate with host mismatch, and cleartext shortage of sensitive data (see details below).
Cryptographic vulnerability types in iOS and Android applications
An interesting finding is that mobile health apps are a way more secure than the typical apps due to the fact that they comply with HIPAA standards and data safety requirements.
Flaw Density By Programming Language
Long story short, it's up to you to decide whether to build a custom software solution or use available drag-and-drop CMS systems or DIY approach. While website builders and PHP-based CMS platforms allow for significant ease of use, agility, cost saving and speed of development, they may cost you a lot of time, reputation and money you'll spend on troubleshooting system vulnerabilities or, what's even more drastic, eliminating security risks and data leakage for your clients. As noted in our earlier post, on average it costs a company $50,000 to $444,000 per incident to eliminate consequences of a DDoS attack depending on a company size.
Failing to embed the proper security design in your UX architecture or choosing the wrong programming language for your solution will most likely result in some type of security breach. We recommend you engage a professional IT advisory company prior to starting a software development project in order to get a clear roadmap of what technologies, programming languages and security elements will be best suited for your particular project!
Data and images source: State of Software Security Report 2015 by Veracode