Security risks of web application programming languages

A new WhiteHat report examined the security of specific programming languages. Until now, no other website security study has provided detailed research on how programming languages perform in the field, though it is crucial to understand since security must be prioritized as part of the software development lifecycle to be most effective.

Nearly 1,700 business-critical websites were evaluated to provide organizations with insight into the relative security of the development frameworks they deploy, and the associated vulnerabilities that put them at risk.

Top ten vulnerability classes (compared by extension)

From this empirical research, programming languages do not display identical security postures in the field, yet at the same time, they tend to be more alike than different with regards to vulnerabilities.

The types of vulnerabilities to frequency of occurrence and remediation times differed, albeit more moderately than would have been anticipated, amongst frameworks. Perl had the highest average number of historical vulnerabilities found at 45 percent followed by Cold Fusion at 34 percent.

Additionally, Perl, Cold Fusion, JSP and PHP were most likely to contain at least one serious vulnerability at approximately 80 percent of the time. Among the lowest historical vulnerability averages were ASPX (Microsoft’s .NET) and DO (Struts Java) with 19 percent and 20 percent, respectively.

Average number of days for vulnerability resolution

“Web application security truly is a moving target with constant changes in attack methods and techniques,” said Jeremiah Grossman, founder and chief technology officer, WhiteHat Security. “While it’s pertinent to keep a close eye on the top 10 vulnerabilities putting websites at risk, this time we wanted to focus on the programming languages since that’s where it all begins. If organizations have a better idea of how the languages they use fare in the field, they can be more vigilant during the development lifecycle and hopefully avoid bigger problems later.”

WhiteHat’s latest report contains data collected between January 1, 2006 and March 25, 2010, and finds that the percentage of high, critical or urgent issues continue to slowly increase. At the same time, the report notes that vulnerability remediation rates are climbing as well, particularly in the Urgent and Critical categories, with an average rate of roughly 70 percent. Still, with up to 30 percent of vulnerabilities remaining open for an average of nearly three months, many websites remain in an uncomfortable risk position.

Cross-Site Scripting (XSS) maintains its position in the Top 10 list along with many other common classes of attack. Interestingly, Cross-Site Request Forgery (CSRF) did not make the Top 10 list for languages such as Perl and PHP, but Directory Indexing did. The diversity of vulnerability issues across languages can be attributed to the fact that one website can possess hundreds of unique issues from a specific class such as XSS and Content Spoofing, while other sites may not contain any.