Most secure web programming language? It depends.
Whether you are using a new or old software programming language to build your website, the security risk is the same, according to application security provider WhiteHat Security in its 2014 Website Security Statistics report.
âRisk exposure does not vary much between languagesâ¦ In fact, there was no statistical difference, in terms of the average number of vulnerabilities per location, between the languages ââin this study,â the report notes. WhiteHat Security defines the boundaries of a web application as a “location”.
âChoosing which programming language to use is often based on considerations such as what the development team knows best, what will generate the code fastest, or just what will do the job,â said Jeremiah Grossman, founder and CEO of WhiteHat Security. by announcing the report.
WhiteHat has performed vulnerability assessments of over 30,000 websites using .NET, Java, ASP, PHP, Cold Fusion, and Perl. The most used languages ââwere .NET (28.1% of web applications), Java (24.9%) and ASP (15.9%).
However, programming language preferences seem to vary by industry, according to Whitehat. of banking applications were written in Java and 42% in .Net.
In the public sector, half of those surveyed said they had used ASP, .NET and Java, while a quarter were PHP users.
The .Net programming language had an average of 11.36 vulnerabilities per slot, Java 11.32 and ASP 10.98. The most secure language, ColdFusion, had six vulnerabilities per location. Perl had seven vulnerabilities per location and PHP had 10.
While 31 percent of all vulnerabilities were in .NET, the report noted that there were more websites written in .NET than any of the other languages ââin the study, and “there were none. evidence to suggest that .Net is less secure based on this data point. Instead, the study correlated the greatest number of vulnerabilities with the fact that .NET sites tend to be larger and more complicated than others.
Java accounted for 28% of the vulnerabilities found and ASP 15%. âAgain, the number of applications written in the language as well as the complexity of the websites should be considered a contributing factor,â the report said. PHP also accounted for 15 percent of the vulnerabilities discovered. ColdFusion only accounted for 4% of vulnerabilities and Perl 2%.
Cross-Site Scripting (XSS) was the most common vulnerability, except in .NET, where information leakage was its number one vulnerability. XSS allows attackers to inject client-side script into web pages viewed by other users and bypass access controls. An information leak occurs when a website reveals sensitive data, such as developer comments or error messages, that can help an attacker to exploit the system.
Some other vulnerability findings:
- ColdFusion had an 11% SQL injection vulnerability rate, the highest observed, followed by ASP at 8% and .NET at 6%.
- Perl had an observed rate of 67% XSS vulnerabilities, over 17% higher than any other language.
- Many vulnerability classes were unaffected by the choice of language.
Patch rates, the speed at which vulnerabilities are resolved, remains a key indicator of application security, WhiteHat explains.
âWe were somewhat surprised to find that languages ââthat have been around for decades were actually able to keep pace, with more modern languages ââwhen it comes to fixing certain vulnerability classes,â said Gabriel Gumbs, director Solution Architecture for WhiteHat Security who also led the research team on this project.
âFor example, Perl beat the pack in patching XSS vulnerabilities, which was the most prevalent vulnerability in all languages. Likewise, SQL injection had a 96% fix rate in ColdFusion applications, and every abuse of functionality vulnerability found in ColdFusion sites has been addressed.
Among its recommendations for improving web programming security, WhiteHat suggested:
- Test software in all phases of development, including web services code reviews.
- Include security risk assessments at the architecture and design stage of application development.
- Include application security in existing IT governance frameworks.
Kathleen Hickey is a freelance writer for GCN.