When building an enterprise Web application, the most foundational decision your developers make will be the language in which the app is written. But is there a barometer that measures the security of the programming languages developers have at their disposal, or are comfortable with, versus other options?
WhiteHat Security, an application security vendor, released its 2014 Website Security Statistics Report today that measures the security of programming languages and development frameworks and examines not only what classes of vulnerabilities they’re most susceptible to, but also how long it takes to remediate bugs and whether there’s a real difference that would impact a business decision as to which language to use.
The report is based on vulnerability assessments conducted against 30,000 customer websites using a proprietary scanner, and the results point toward negligible differences in the relative security of languages such as .NET, Java, PHP, ASP, ColdFusion and Perl. Those six shared relatively similar mean numbers of vulnerabilities, and problems such as SQL injection and cross-site scripting vulnerabilities remain pervasive.
“Ultimately, what we found was that across the board there were no significant differences between languages,” said Gabriel Gumbs, lead researcher on White Hat’s Website Security Statistics Report. “There are some peaks and valleys with regard to vulnerability classes and remediation rates, but no one stood out as a clear winner as more secure.”
One conclusion, therefore, is that web application security woes, including the chronic existence of SQL injection and cross-site scripting vulnerabilities in code, are a human issue.
“A lot of it is the human factor,” Gumbs said. Static and dynamic testing controls are available to developers that test code as it is being developed as well as in production. But they have to be used throughout the development lifecycle, Gumbs said. “During the design phase of an app, security implications must be taken into account.”
As for the numbers compiled by White Hat, .NET and Java are the most widely used languages, accounting for a combined 53 percent, while the creaky ASP is next at 16 percent. SQL injection were especially prevalent in ColdFusion sites, while Perl sites were found most vulnerable to cross-site scripting. ColdFusion sites, however, had the best overall remediation rates while PHP sites one of the lowest.
Cross-site scripting was the most prevalent vulnerability in five of the six languages, except for .NET where information leakage flaws were highest. It’s worse in Perl (67 percent of sites) and Java (57 percent). Content spoofing, SQL injection and cross-site request forgery round out the top five most prevalent vulnerabilities.
“The education is out there and the frameworks are out there [to address cross-site scripting]. My best guess is that it’s a combination of the speed at which companies are implementing new functionality and exposing it to the business that is driving that number,” Gumbs said. “We don’t know what it will take to tip the scales and make those numbers go down. It may be something we have to live with. If we can accept that and then approach how we address that based on risk assessments, it may drive down the number.”
Looking at specific industries, in particular those that are heavily regulated such as financials and health care, those don’t show a noticeable difference in either the number of vulnerabilities present or remediation rates. This is in spite of over-arching regulations such as PCI-DSS protecting credit cards and HIPAA protecting health care that mandate a certain minimum standard. The problem is that many organizations that are regulated do what it takes to reach that minimum standard, and not much else.
“What we found is that industries with more regulations are insecure because they fix vulnerabilities that the regulation only calls for,” Gumbs said. “If PCI says fix these five vulnerabilities, that’s all they fixed. It proved to me they were more insecure than the other industries because they put that effort into compliance, not security.”