Welcome!

Java IoT Authors: Liz McMillan, Yeshim Deniz, Zakia Bouachraoui, Elizabeth White, Pat Romanski

News Feed Item

WhiteHat Security Reveals Relative Security of Web Programming Languages in 2014 Website Security Statistics Report

SANTA CLARA, Calif., April 15, 2014 /PRNewswire/ -- WhiteHat Security, the Web security company, today announced the latest edition of the WhiteHat Security Website Security Statistics Report, which takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more.

"Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done," said Jeremiah Grossman, founder and iCEO of WhiteHat Security. "How secure the language might be is simply an afterthought, which is usually too late.

"As an industry we lack sufficient security data that teams can rely on in the language selection process for their project," continued Grossman. "This report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications."

WhiteHat researchers examined the vulnerability assessment results of the more than 30,000 websites under WhiteHat Security management to measure how the underlying programming languages and frameworks perform in the field. With that information, the report yields key findings around which languages are most prone to which classes of attack, for how often and how long as well as a determination as to whether or not popular modern languages and frameworks yield similar results in production websites.

New vs. Legacy Languages
To lay the foundation for the research, the team first examined the volume of languages in the field, and found, unsurprisingly, that .Net, Java and ASP are the most widely used programming languages at 28.1%, 25% and 16% respectively.  Legacy programming languages that have been around for decades, PHP (11%), ColdFusion (6%), and Perl (3%) rounded out the remaining field.

The popularity and complexity of .Net, Java and ASP, mean that the potential attack surfaces for each language is larger; as such, 31% of vulnerabilities were observed in .Net, 28% were found in Java and 15% were found in ASP.

From there, WhiteHat researchers had these key observations:

  • There was no significant difference between languages in examining the highest averages of vulnerabilities per slot.* .Net had an average of 11.36 vulnerabilities per slot. Java was found to have an average of 11.32 and ASP came in at 10.98.
  • The bottom of the spectrum, or the most "secure," also showed no significant difference between languages with the lowest averages of vulnerabilities per slot. Perl was observed as having 7 vulnerabilities per slot. ColdFusion was found to have the fewest with an average of 6.
  • From a vulnerability class perspective, the research team made these discoveries:
  • Cross-Site Scripting regains the number one spot after being overtaken by Information Leakage last year in all but one language. .Net has Information Leakage as the number one vulnerability, followed by Cross-Site Scripting.
  • ColdFusion has a rate of 11% SQL Injection vulnerabilities, the highest observed, followed by ASP with 8% and .NET 6%.
  • Perl has an observed rate of 67% Cross-Site Scripting vulnerabilities, over 17% more than any other language.
  • There was less than a 2% difference among the languages with Cross-Site Request Forgery.
  • Many vulnerabilities classes were not affected by language choice.

Remediation Remains a Key Factor
"We were somewhat surprised to find that languages that have been around for decades were actually able to keep pace, with more modern languages when it came to remediation of some vulnerability classes," said Gabriel Gumbs, director of solutions architecture for WhiteHat Security who also led the research team on this project. "For instance, Perl bested the pack when it came to remediating XSS vulnerabilities, which was the most prevalent vulnerability across all languages. Likewise SQL Injection had a 96% remediation rate in ColdFusion applications and every single abuse of functionality vulnerability found in ColdFusion sites was remediated."

Other interesting remediation statistics:

  • ASP is remediating at the same rate as the other languages, focusing on mission critical vulnerabilities.
  • Perl remediates 85% of all Cross-Site Scripting vulnerabilities, the highest rate among all languages but only 18% of SQL Injection.
  • Net and Java have the same remediation rate of SQL Injection at 89%.
  • ColdFusion remediates 100% of its Abuse of Functionality vulnerabilities, 96% of its SQL Injection, and 87% of Insufficient Transport Layer Protection vulnerabilities.

Industry Favorites
"Often times when we have conversations with customers or their development teams about why they believe that practicing secure coding is so challenging, they will tell us that it is because their applications are often made up of 'a little bit of everything'," said Gumbs. "In our research, however, we found that organizations tend to have a significant amount of one or two languages with a very minimal investment in the others."

Although the team found that no industry has an even breakdown, there are trends amongst industries, when it comes to language choice:

  • Financial Services has the highest number of ASP sites by count, by almost 3-to-1.
  • 83% of Gaming Industry sites written in PHP.
  • 49% of the Banking Industry applications were written in Java & 42% in .Net.
  • 32% of Manufacturing sites leveraged Perl as their language of choice.
  • The Technology sector wrote 35% of their sites in PHP.

"Ultimately we believe that just as language choice begins at the architecture and design stage of application development, security must begin here as well," said Grossman. "Understanding the impact of those decisions early will help address the management of the risk later on. Furthermore, ensuring that software is tested in all phases of development - including code reviews of web services – all the way through until the application is decommissioned is critical. We will not achieve a truly secure Web until this becomes standard operating procedure for all applications across the board."

To download the complete report, click here, or join the conversation on Twitter using #2014WebStats and by following @whitehatsec.

* WhiteHat Security defines the boundaries of a web application as a "slot." The research data was derived from slots that had at least three completed assessments.

About WhiteHat Security
Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for application security. The company's cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete application security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company's flagship product line, currently manages thousands of websites – including sites in highly regulated industries, such as e-commerce, financial services and healthcare companies. For more information, visit www.whitehatsec.com.

SOURCE WhiteHat Security

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.