Which web programming language is the most secure?


WhiteHat Security, a web security company, recently announced the latest edition of the “WhiteHat Security Website Security Statistics Report,” which takes a closer look at the security of a number of the most popular programming languages, including .NET, Java, ColdFusion , ASP and Suite.

“Choosing which programming language to use is often based on considerations such as what the development team knows best, what will generate the code fastest, or just what will do the job,” said Jeremiah Grossman, founder and CEO of WhiteHat Security. . “Language safety is just an afterthought, which is usually too late.

“As an industry, we lack sufficient security data that teams can rely on in the process of selecting the language for their project,” continued Grossman. “This report discusses application security not from the perspective of the risks that exist on sites and applications once they have been pushed into production, but rather by examining the performance of the languages ​​themselves in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision-making process, which will ultimately lead to more secure websites and applications. “

WhiteHat researchers examined the results of vulnerability assessments of more than 30,000 websites managed by WhiteHat Security to measure the performance of the underlying programming languages ​​and frameworks in the field. With this information, the report provides key conclusions about which languages ​​are most prone to which classes of attack, how often, and for how long, as well as a determination as to whether popular modern languages ​​and frameworks are giving rise to problems. similar results in production websites.

Click for a closer look at the security of a number of the most popular programming languages ​​including .NET, Java, ColdFusion, ASP and more as identified by WhiteHat Security.

Which web programming language is the most secure?  - slide 2

New or old languages

To lay the foundation for the research, the team first looked at the volume of languages ​​in the field and found, unsurprisingly, that .NET, Java, and ASP are the most widely used programming languages, at 28, 1%, 25% and 16%, respectively. Legacy programming languages ​​that have been around for decades, PHP (11%), ColdFusion (6%), and Perl (3%) round out the remaining area.

The popularity and complexity of .NET, Java, and ASP mean that the potential attack surfaces for each language are greater; thus, 31% of the vulnerabilities were found in .NET, 28% were found in Java and 15% were found in ASP.

Which web programming language is the most secure?  - slide 3

New or old languages

From there, WhiteHat researchers made these key observations:

  • There was no significant difference between languages ​​when examining the highest averages of vulnerabilities by location. * .NET had an average of 11.36 vulnerabilities per location. Java turned out to have an average of 11.32 and ASP came in at 10.98.
  • The lower end of the spectrum, or most “secure”, also showed no significant difference between languages ​​with the lowest averages of vulnerabilities by location. Perl has been observed to have seven vulnerabilities per location. ColdFusion turned out to have the fewest with an average of six.

* WhiteHat Security defines the boundaries of a web application as a “location”. Research data was derived from niches for which at least three evaluations were performed.

Which web programming language is the most secure?  - slide 4

New or old languages

From a vulnerability class perspective, the research team made these findings:

  • Cross-site scripts regain the top spot after being overtaken by the information leak last year in all but one language. .NET has information leakage as the number one vulnerability, followed by cross-site scripting.
  • ColdFusion has the highest SQL injection vulnerability rate of 11%, followed by ASP at 8% and .NET at 6%.
  • Perl has an observed rate of 67% cross-site scripting vulnerabilities, over 17% higher than any other language.
  • There was less than 2% difference between languages ​​with cross-site request forgery.
  • Many classes of vulnerabilities were unaffected by the choice of language.

Which web programming language is the most secure?  - slide 5

Remediation remains a key factor

“We were somewhat surprised to find that languages ​​that have been around for decades were in fact able to keep pace with more modern languages ​​when it comes to fixing certain classes of vulnerability,” said Gabriel Gumbs, director of the solution architecture for WhiteHat Security, who also led the research team on this project. “For example, Perl beat the pack in patching XSS vulnerabilities, which was the most prevalent vulnerability in all languages. Likewise, SQL injection had a 96% fix rate in ColdFusion applications and every abuse of functionality vulnerability found in ColdFusion sites has been fixed.

Which web programming language is the most secure?  - slide 6

Remediation remains a key factor

Other interesting remediation statistics:

  • ASP fixes at the same rate as other languages, focusing on critical vulnerabilities.
  • Perl fixes 85% of all cross-site scripting vulnerabilities, the highest rate of any language, but only 18% of SQL injections.
  • .NET and Java have the same 89% SQL injection fix rate.
  • ColdFusion fixes 100% of its abuse of functionality vulnerabilities, 96% of its SQL injection, and 87% of inadequate transport layer protection vulnerabilities.

Which web programming language is the most secure?  - slide 7

Industry favorites

“A lot of times when we talk to customers or their development teams about why they think the practice of secure coding is so difficult, they tell us it’s because their applications are often made up of ‘a few’ everything, “” Gommes said. “In our research, however, we found that organizations tend to have a significant amount of one or two languages ​​with very minimal investment in the others.”

Although the team found that no industry has an equal distribution, there are trends among industries, when it comes to language choice:

  • Financial Services has the highest number of ASP sites by count, almost three to one.
  • 83 percent of gaming industry sites are written in PHP.
  • 49% of banking industry applications were written in Java and 42% in .NET.
  • 32% of manufacturing sites used Perl as their language of choice.
  • The tech industry has written 35 percent of its sites in PHP.

Which web programming language is the most secure?  - slide 8


“Ultimately, we believe that just as language choice starts at the architecture and design stage of application development, security must also start here,” Grossman said. “Understanding the impact of these decisions early on will help address risk management later. In addition, it is essential to ensure that software is tested in all phases of development, including web services code reviews, until the application is retired from service. We will not achieve a truly secure web until it becomes standard operating procedure for all applications at all levels. “

To download the full report, Click here.


Leave A Reply