IT Strategy

Programming Languages Vulnerabilities 2015

In its recently published State of Software Security Report 2015, Veracode has analyzed over 1.5 trillion lines of code used in hundreds of thousands of web and mobile applications and come up with the following key findings:

  • Applications built with web scripting languages have a way higher vulnerability rate in such classes as cross-site scripting and SQL injection than .NET and Java-based applications;
  • All mobile applications have a much higher rate of cryptographic issues compared to web apps: 87% for Android and 80% for iOS;
  • Applications written in different programming languages have differing OWASP Top 10 pass rates, i.e. many software development teams don't consider statistical security risks for apps written in a particular language when embedding security design in UX architectures, and they should!
  • Companies that leverage eLearning for their software development teams see a 30% improvement in vulnerabilities fix rate compared to those that don't provide software security training to their IT talent

Programming Languages Distribution Across Analyzed Projects

Screen Shot 2015-12-10 at 2.08.37 PM

programming languages rating 2015

All programming languages presented above have been tested through the Open Web Application Security Project (OWASP) Top 10 that is referenced by industry standards such as PCI-DSS and sets forth security standards for online payment processing systems. The result is pretty embarrassing: C/C++ (compiled language) is the only language that demonstrated 60% compliance with the OWASP Top 10. Top 3 losers are scripting languages ColdFusion, PHP and ASP that demonstrated 21%, 19% and 17% test pass rate accordingly (see below).

Policy Compliance By Programming Languages

OWASP Top 10 languages 2015

Further, the Veracode survey unveils the two important differences in the number of applications affected by the major vulnerabilities depending on the chosen language:

1) Language design

Some languages such as Java and .NET have been originally designed to avoid certain vulnerability classes. By removing the need / ability for developer to directly allocate memory, such languages are able to avoid most of vulnerabilities resulting from buffer overflows. Likewise, the default controls behaviors of cross-site scripting languages such as ASP.NET help avoid vulnerability issues endemic in other web app programming environments.

2) OS environment

Some data leakage categories are most acute in mobile environments which combine huge volumes of data with a variety of always-on networking capabilities (see details below).

Top Vulnerability Categories By Programming Language

vulnerability cases by programming language

vulnerability cases by programming language

The survey also finds that web vulnerabilities like cross-site scripting and SQL injection are more prevalent in web scripting based applications (PHP, ColdFusion and ASP) than in compiled based applications (Java, .NET). This is attributed to the difference in the feature sets of each programming language. Also, there're more security APIs built into Java and .NET compared to what's available for web scripting languages, although ColdFusion shows some improvements in this regard.

According to some estimates, around 75 million websites are based on the WordPress platform, while another few million use Joomla or Drupal globally. All of these CMS platforms are PHP-based which poses some serious concerns about the global Internet security. So, if you're using or planning to use any of these CMS systems for your websites, do plan your deployments very carefully and use the highest level of protection available in system settings.

Another big area of concerns highlighted by the survey is the prevalence of cryptographic issues in iOS and Android programming languages. Top 3 cryptographic vulnerability types by percentage of the affected applications are: insufficient entropy, improper validation of certificate with host mismatch, and cleartext shortage of sensitive data (see details below).

Cryptographic vulnerability types in iOS and Android applications

cryptographic issues in iOS and Android apps

Read more about how to protect iOS and Android applications.

An interesting finding is that mobile health apps are a way more secure than the typical apps due to the fact that they comply with HIPAA standards and data safety requirements.

Click to read how Intersog built the world's first free-market telemedicine solution that exceeds HIPAA compliance!

The survey also finds that JavaScript, Android and iOS programming languages have the fewest flaws per MB compared to other languages, while classic ASP has the highest flaw density. See details below.

Flaw Density By Programming Language

flaws in programming languages

Long story short, it's up to you to decide whether to build a custom software solution or use available drag-and-drop CMS systems or DIY approach. While website builders and PHP-based CMS platforms allow for significant ease of use, agility, cost saving and speed of development, they may cost you a lot of time, reputation and money you'll spend on troubleshooting system vulnerabilities or, what's even more drastic, eliminating security risks and data leakage for your clients. As noted in our earlier post, on average it costs a company $50,000 to $444,000 per incident to eliminate consequences of a DDoS attack depending on a company size.

Failing to embed the proper security design in your UX architecture or choosing the wrong programming language for your solution will most likely result in some type of security breach. We recommend you engage a professional IT advisory company prior to starting a software development project in order to get a clear roadmap of what technologies, programming languages and security elements will be best suited for your particular project!

Do you need professional advice on how to build a highly secure application?

Data and images source: State of Software Security Report 2015 by Veracode

Vik is our Brand Journalist and Head of Online Marketing / PR with 11+ years of international experience in IT B2B. He's also a guest blog contributor to Business2community, SitePoint, Journal of mHealth, Wearable Valley and other IT portals.