Our application and web development processes continue to change rapidly as the technical world evolves. Veracode, a cloud-based application security company, has prepared a report and analyzed hundreds of thousands of applications and well over 1.5 trillion lines of code. And they have came up with a report that covers applications written in a wide variety of programming languages, including traditional web application development languages, complied languages, and mobile application development languages.
Policy compliance by programming language
83% of ColdFusion applications, 81% of PHP applications, and 79% of Classic ASP applications haven’t passed the OWASP Policy. OWASP stands for Open Web Application Security Project, a community formed by security practitioners that prepare a list of the most important vulnerability categories in web applications.
It’s important to notice that applications in truly complied application languages like C/C++ and Objective C (iOS) have a higher OWASP pass rate than general-purpose bytecode languages like Java or .NET.
Top vulnerability categories by programming language
There are some important differences in the percentage of applications affected by key vulnerabilities on a chosen language. The main two differences:
- Design of the language
Some languages are designed from the beginning to avoid some vulnerability classes. By removing the need for developers to allocate memory, such languages as Java and .NET avoid entirely, vulnerabilities dealing with memory allocation.
- Operating environment
Some vulnerability can appear in certain execution environments. For example, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with always on, networking activities.
Comparison of critical vulnerability types
Veracode took a look at four key vulnerability categories: cryptographic issues, SQL injection, Cross-Site Scripting, and command injection.
It’s important to mention that web vulnerabilities like SQL injection and Cross-Site Scripting (XSS) are more prevalent in applications written in web scripting languages such as Classic ASP, ColdFusion and PHP, compared to .NET and Java applications. According to the results, 86% of PHP applications had at least one XSS vulnerability, and 56% of all applications are vulnerable during implementation of SQL code.
The rating of programming languages by vulnerability
Veracode’s specialists have analyzed the number of vulnerabilities in 1 MB of source code. So the results are:
- Classic ASP – 1,686.6 vulnerabilities per MB (1,112.8 – high/very high vulnerabilities);
- ColdFusion – 262.8 vulnerabilities per MB (227.3 – high/very high vulnerabilities);
- PHP – 184.0 vulnerabilities per MB (47.7 – high/very high vulnerabilities);
- Java – 51.8 vulnerabilities per MB (5.2 – high/very high vulnerabilities);
- .NET – 32.5 vulnerabilities per MB (9.7 – high/very high vulnerabilities);
- C++ – 26.7 vulnerabilities per MB (8.8 – high/very high vulnerabilities);
- iOS – 23.4 vulnerabilities per MB (0.9 – high/very high vulnerabilities);
- Android – 11.3 vulnerabilities per MB (0.4 – high/very high vulnerabilities);
- Programming Languages Popularity in 2015 [GitHut, RedMonk, Jobs Tractor, TIOBE Index] (softheme-blog-2017)
- Programming Languages Popularity among Ukrainian Developers (softheme-blog-2017)