WhiteHat Security, a Web security company, recently announced the latest edition of the “WhiteHat Security Website Security Statistics Report,” which takes a deeper look into the security of a number of the most popular programming languages, including .NET, Java, ColdFusion, ASP and more.
“Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done,” said Jeremiah Grossman, founder and iCEO of WhiteHat Security. “How secure the language might be is simply an afterthought, which is usually too late.
“As an industry we lack sufficient security data that teams can rely on in the language selection process for their project,” continued Grossman. “This report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications.”
WhiteHat researchers examined the vulnerability assessment results of the more than 30,000 websites under WhiteHat Security management to measure how the underlying programming languages and frameworks perform in the field. With that information, the report yields key findings around which languages are most prone to which classes of attack, how often and for how long, as well as a determination as to whether popular modern languages and frameworks yield similar results in production websites.
Click through for a deeper look into the security of a number of the most popular programming languages, including .NET, Java, ColdFusion, ASP and more, as identified by WhiteHat Security.
New vs. legacy languages
To lay the foundation for the research, the team first examined the volume of languages in the field, and found, unsurprisingly, that .NET, Java and ASP are the most widely used programming languages, at 28.1 percent, 25 percent and 16 percent, respectively. Legacy programming languages that have been around for decades, PHP (11 percent), ColdFusion (6 percent), and Perl (3 percent) rounded out the remaining field.
The popularity and complexity of .NET, Java and ASP mean that the potential attack surfaces for each language is larger; as such, 31 percent of vulnerabilities were observed in .NET, 28 percent were found in Java, and 15 percent were found in ASP.
New vs. legacy languages
From there, WhiteHat researchers had these key observations:
- There was no significant difference between languages in examining the highest averages of vulnerabilities per slot.* .NET had an average of 11.36 vulnerabilities per slot. Java was found to have an average of 11.32 and ASP came in at 10.98.
- The bottom of the spectrum, or the most “secure,” also showed no significant difference between languages with the lowest averages of vulnerabilities per slot. Perl was observed as having seven vulnerabilities per slot. ColdFusion was found to have the fewest with an average of six.
* WhiteHat Security defines the boundaries of a Web application as a “slot.” The research data was derived from slots that had at least three completed assessments.
New vs. legacy languages
From a vulnerability class perspective, the research team made these discoveries:
- Cross-site scripting regains the number one spot after being overtaken by information leakage last year in all but one language. .NET has information leakage as the number one vulnerability, followed by cross-site scripting.
- ColdFusion has a rate of 11 percent SQL injection vulnerabilities, the highest observed, followed by ASP with 8 percent and .NET with 6 percent.
- Perl has an observed rate of 67 percent cross-site scripting vulnerabilities, over 17 percent more than any other language.
- There was less than a 2 percent difference among the languages with cross-site request forgery.
- Many vulnerabilities classes were not affected by language choice.
Remediation remains a key factor
“We were somewhat surprised to find that languages that have been around for decades were actually able to keep pace with more modern languages when it came to remediation of some vulnerability classes,” said Gabriel Gumbs, director of solutions architecture for WhiteHat Security, who also led the research team on this project. “For instance, Perl bested the pack when it came to remediating XSS vulnerabilities, which was the most prevalent vulnerability across all languages. Likewise, SQL injection had a 96 percent remediation rate in ColdFusion applications and every single abuse of functionality vulnerability found in ColdFusion sites was remediated.”
Remediation remains a key factor
Other interesting remediation statistics:
- ASP is remediating at the same rate as the other languages, focusing on mission-critical vulnerabilities.
- Perl remediates 85 percent of all cross-site scripting vulnerabilities, the highest rate among all languages, but only 18 percent of SQL injection.
- .NET and Java have the same remediation rate of SQL injection at 89 percent.
- ColdFusion remediates 100 percent of its abuse of functionality vulnerabilities, 96 percent of its SQL injection, and 87 percent of insufficient transport layer protection vulnerabilities.
Industry Favorites
“Often times when we have conversations with customers or their development teams about why they believe that practicing secure coding is so challenging, they will tell us that it is because their applications are often made up of ‘a little bit of everything’,” said Gumbs. “In our research, however, we found that organizations tend to have a significant amount of one or two languages with a very minimal investment in the others.”
Although the team found that no industry has an even breakdown, there are trends amongst industries, when it comes to language choice:
- Financial services has the highest number of ASP sites by count, by almost three to one.
- 83 percent of gaming industry sites are written in PHP.
- 49 percent of the banking industry applications were written in Java & 42 percent in .NET.
- 32 percent of manufacturing sites leveraged Perl as their language of choice.
- The technology sector wrote 35 percent of their sites in PHP.
Conclusion
“Ultimately we believe that just as language choice begins at the architecture and design stage of application development, security must begin here as well,” said Grossman. “Understanding the impact of those decisions early will help address the management of the risk later on. Furthermore, ensuring that software is tested in all phases of development – including code reviews of web services – all the way through until the application is decommissioned is critical. We will not achieve a truly secure Web until this becomes standard operating procedure for all applications across the board.”
To download the complete report, click here.