A new WhiteHat Security report takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more.
“Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done,” said Jeremiah Grossman, founder and iCEO of WhiteHat Security. “How secure the language might be is simply an afterthought, which is usually too late.”
“As an industry we lack sufficient security data that teams can rely on in the language selection process for their project,” continued Grossman. “This report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications.”
WhiteHat researchers examined the vulnerability assessment results of the more than 30,000 websites to measure how the underlying programming languages and frameworks perform in the field. With that information, the report yields key findings around which languages are most prone to which classes of attack, for how often and how long as well as a determination as to whether or not popular modern languages and frameworks yield similar results in production websites.
New vs. legacy languages
To lay the foundation for the research, the team first examined the volume of languages in the field, and found, unsurprisingly, that .Net, Java and ASP are the most widely used programming languages at 28.1%, 25% and 16% respectively. Legacy programming languages that have been around for decades, PHP (11%), ColdFusion (6%), and Perl (3%) rounded out the remaining field.
The popularity and complexity of .Net, Java and ASP, mean that the potential attack surfaces for each language is larger; as such, 31% of vulnerabilities were observed in .Net, 28% were found in Java and 15% were found in ASP.
From there, researchers had these key observations:
- There was no significant difference between languages in examining the highest averages of vulnerabilities per slot. .Net had an average of 11.36 vulnerabilities per slot. Java was found to have an average of 11.32 and ASP came in at 10.98.
- The bottom of the spectrum, or the most “secure,” also showed no significant difference between languages with the lowest averages of vulnerabilities per slot. Perl was observed as having 7 vulnerabilities per slot. ColdFusion was found to have the fewest with an average of 6.
- From a vulnerability class perspective, the research team made these discoveries:
- Cross-Site Scripting regains the number one spot after being overtaken by Information Leakage last year in all but one language. .Net has Information Leakage as the number one vulnerability, followed by Cross-Site Scripting.
- ColdFusion has a rate of 11% SQL Injection vulnerabilities, the highest observed, followed by ASP with 8% and .NET 6%.
- Perl has an observed rate of 67% Cross-Site Scripting vulnerabilities, over 17% more than any other language.
- There was less than a 2% difference among the languages with Cross-Site Request Forgery.
- Many vulnerabilities classes were not affected by language choice.
Remediation remains a key factor
“We were somewhat surprised to find that languages that have been around for decades were actually able to keep pace, with more modern languages when it came to remediation of some vulnerability classes,” said Gabriel Gumbs, director of solutions architecture for WhiteHat Security who also led the research team on this project. “For instance, Perl bested the pack when it came to remediating XSS vulnerabilities, which was the most prevalent vulnerability across all languages. Likewise SQL Injection had a 96% remediation rate in ColdFusion applications and every single abuse of functionality vulnerability found in ColdFusion sites was remediated.”
Other interesting remediation statistics:
- ASP is remediating at the same rate as the other languages, focusing on mission critical vulnerabilities.
- Perl remediates 85% of all Cross-Site Scripting vulnerabilities, the highest rate among all languages but only 18% of SQL Injection.
- Net and Java have the same remediation rate of SQL Injection at 89%.
- ColdFusion remediates 100% of its Abuse of Functionality vulnerabilities, 96% of its SQL Injection, and 87% of Insufficient Transport Layer Protection vulnerabilities.
“Often times when we have conversations with customers or their development teams about why they believe that practicing secure coding is so challenging, they will tell us that it is because their applications are often made up of ‘a little bit of everything’,” said Gumbs. “In our research, however, we found that organizations tend to have a significant amount of one or two languages with a very minimal investment in the others.”
Although the team found that no industry has an even breakdown, there are trends amongst industries, when it comes to language choice:
- Financial Services has the highest number of ASP sites by count, by almost 3-to-1.
- 83% of Gaming Industry sites written in PHP.
- 49% of the Banking Industry applications were written in Java & 42% in .Net.
- 32% of Manufacturing sites leveraged Perl as their language of choice.
- The Technology sector wrote 35% of their sites in PHP.
“Ultimately we believe that just as language choice begins at the architecture and design stage of application development, security must begin here as well,” said Grossman. “Understanding the impact of those decisions early will help address the management of the risk later on. Furthermore, ensuring that software is tested in all phases of development – including code reviews of web services – all the way through until the application is decommissioned is critical. We will not achieve a truly secure Web until this becomes standard operating procedure for all applications across the board.”
The complete report is available here (registration required).