Three-quarters of applications have some sort of security flaw, although high-security flaws are found in only a quarter. PHP is the programming language with the highest prevalence of flaws while Python and JavaScript are the least affected.

These findings come from Veracode which recently brought out the 11th Edition of its annual State of Software Security report.

Veracode has been tracking the prevalence of flaws in applications for ten years. The 2020 result was based on scans of over 130,000 applications. At least one flaw was found in 76% of them and 66% had critical flaws as defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities, from the Open Web Application Security Project. 

Another measure of flaw severity used is the SANS Top 25, a list of the Common Weakness Enumeration's (CWE) most dangerous software errors, and 59% of applications evidenced flaws included on it. 

Only 24% of applications had "High Severity" flaws, defined by Veracode at Level 4 (High) - such as SQL Injection and Unrestricted Upload of File with Dangerous Type - or Level 5 (Very High),  such as OS Command Injection, Eval Injection, Stack-based Buffer Overflow or Incorrect Calculation of Multi-Byte String Length.

The most common flaws found were Information Leakage (66%) which is defined as being at Level 2 - Low, then CRLF Injection (65%) and Cryptographic Issues (64%), both at Level 3 - Medium, followed by Code Quality (60%) mostly ranging from Level 0 to Level 3.

This year an analysis was done of type of vulnerability by language to produce the following heat map:

PHP stands out from this heat map as the language with the highest incidence of flaws, in particular Cross-Site Scripting and Cryptography issues, both Level 3 in terms of severity. C++ and Java have the next highest incidence with Error Handling being the weakness of the former and CRLF Injection that of the latter. Then, close on their heels, is .NET which suffers most from low severity Information Leakage but also, to a minor extent, from high severity SQL Injection. It is JavaScript and Python that stand out as being the cool languages in this heat map.

If you want to know more, not only about the vulnerabilities but also how to remediate them, the Heat Map is available as an interactive resource with the title Beat The Heat where you can click to find out more about any of the vulnerabilities. Here's the results for cross site scripting, a flaw that is almost universal where languages are concerned.

This seems a really useful resource for understanding security defects and for improving safe coding practices.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info