A new research showed that Scripting languages, in general, give birth to more security vulnerabilities in web applications, which raised concerns over potential security bugs in millions of websites.
The app security firm Veracode has released its State of Software Security: Focus on Application Development report (PDF), analyzing more than 200,000 separate applications from October 1, 2013, through March 31, 2015.
The security researchers crawled popular web scripting languages including PHP, Java, JavaScript, Ruby, .NET, C and C++, Microsoft Classic ASP, Android, iOS, and COBOL, scanning hundreds of thousands of applications over the last 18 months.
Researchers found that PHP – and less popular Web development languages Classic ASP and ColdFusion– are the riskiest programming languages for the Internet, while Java and .NET are the safest.
Here's the Top 10 List:
The Veracode research report used a unique metric, Flaw Density per MB, which means the number of security bugs in each MB of source code.
Here's the list of unlucky winners:
- Classic ASP – 1,686 flaws/MB (1,112 critical)
- ColdFusion – 262 flaws/MB (227 critical)
- PHP – 184 flaws/MB (47 critical)
- Java – 51 flaws/MB (5.2 critical)
- .NET - 32 flaws/MB (9.7 critical)
- C++ – 26 flaws/MB (8.8 critical)
- iOS – 23 flaws/MB (0.9 critical)
- Android – 11 flaws/MB (0.4 critical)
- JavaScript - 8 flaws/MB (0.09 critical)
Web Apps in PHP are Most Vulnerable, Here's Why:
PHP, which is on third, is actually leading the ranking because ColdFusion is a high-end niche tool and Classic ASP is almost dead.
Taking a closer look at PHP:
- 86% of applications written in PHP contained at least one cross-site scripting (XSS) vulnerability.
- 56% of apps included SQLi (SQL injection), which is one of the dangerous and easy-to-exploit web application vulnerabilities.
- 67% of apps allowed for directory traversal.
- 61% of apps allowed for code injection.
- 58% of apps had problems with credentials management
- 73% of apps contained cryptographic issues.
- 50% allowed for information leakage.
From above issues, SQLi and XSS are among the Open Web Application Security Project's (OWASP) Top 10 most critical web application security risks.
SQL injection bugs – which allow hackers to directly interact with a Web site's database – are the ones that have been blamed for the massive data breaches at kiddie toymaker VTech and telecom firm TalkTalk.
According to the report, the risk size of the above vulnerabilities can be measured by the volume of PHP apps developed for the Top 3 CMS (Content Management Systems) – WordPress, Drupal and Joomla – that represent over 70% of the CMS market.
Choose Your Scripting Language Wisely
Less than a quarter of Java applications contain SQL injection flaws, compared to more than three-quarters of those applications written in PHP.
"When organizations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to test for them," Veracode's CTO Chris Wysopal advised.