Rating of Programming Languages Based on Vulnerability

Our application and web development processes continue to change rapidly as the technical world evolves. Veracode, a cloud-based application security company, has prepared a report and analyzed hundreds of thousands of applications and well over 1.5 trillion lines of code. And they have came up with a report that covers applications written in a wide variety of programming languages, including traditional web application development languages, complied languages, and mobile application development languages.


Policy compliance by programming language

83% of ColdFusion applications, 81% of PHP applications, and 79% of Classic ASP applications haven’t passed the OWASP Policy. OWASP stands for Open Web Application Security Project, a community formed by security practitioners that prepare a list of the most important vulnerability categories in web applications.

Clink to Enlarge
Clink to Enlarge

It’s important to notice that applications in truly complied application languages like C/C++ and Objective C (iOS) have a higher OWASP pass rate than general-purpose bytecode languages like Java or .NET.

Top vulnerability categories by programming language

There are some important differences in the percentage of applications affected by key vulnerabilities on a chosen language. The main two differences:

  • Design of the language

Some languages are designed from the beginning to avoid some vulnerability classes. By removing the need for developers to allocate memory, such languages as Java and .NET avoid entirely, vulnerabilities dealing with memory allocation.

  • Operating environment

Some vulnerability can appear in certain execution environments. For example, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with always on, networking activities.

Click to Enlarge
Click to Enlarge
Click to Enlarge
Click to Enlarge

Comparison of critical vulnerability types

Veracode took a look at four key vulnerability categories: cryptographic issues, SQL injection, Cross-Site Scripting, and command injection.

Click to Enlarge
Click to Enlarge

It’s important to mention that web vulnerabilities like SQL injection and Cross-Site Scripting (XSS) are more prevalent in applications written in web scripting languages such as Classic ASP, ColdFusion and PHP, compared to .NET and Java applications. According to the results, 86% of PHP applications had at least one XSS vulnerability, and 56% of all applications are vulnerable during implementation of SQL code.

The rating of programming languages by vulnerability

Veracode’s specialists have analyzed the number of vulnerabilities in 1 MB of source code. So the results are:

  1. Classic ASP – 1,686.6 vulnerabilities per MB (1,112.8 – high/very high vulnerabilities);
  2. ColdFusion – 262.8 vulnerabilities per MB (227.3 – high/very high vulnerabilities);
  3. PHP – 184.0 vulnerabilities per MB (47.7 – high/very high vulnerabilities);
  4. Java  – 51.8 vulnerabilities per MB (5.2 – high/very high vulnerabilities);
  5. .NET – 32.5 vulnerabilities per MB (9.7 – high/very high vulnerabilities);
  6. C++ – 26.7 vulnerabilities per MB (8.8 – high/very high vulnerabilities);
  7. iOS – 23.4 vulnerabilities per MB (0.9 – high/very high vulnerabilities);
  8. Android – 11.3 vulnerabilities per MB (0.4 – high/very high vulnerabilities);
  9. JavaScript (mobile) – 8.1 vulnerabilities per MB (0.09 – high/very high vulnerabilities).

Source