WhiteHat Security recently released the results of a rather interesting study. Normally, studies of Web application security involves which type of vulnerability is most common or most dangerous to a web site. This study, however, looked into which programming language is the most secure among the many used to create Web based applications.
As any frequent visitor to the various Internet forums knows, these results are sure to spark a plethora of flame wars among developers and security experts who stand up to defend their language of choice while at the same time finding flaws in another’s preference. These debates are healthy in the fact that they do expose vulnerabilities in the various languages, however many of the facts are based on heresay and insinuations. By taking emotion out of the debate, this report is able to take an outside look at which language presents the most risk. To gauge the results more accurately, the report also ignored attack surface and looked at the number of vulnerabilities found in a Web application written in a particular language rather than how many vulnerable applications were found in a particular language across the sample.
The results were measured in many different ways, yet two separate categories garner the most interest. The first one we will look at determined the average number of serious vulnerabilities found in application’s lifetime determines by the specific language in which it was written. The following ranks them in order:
Additionally, the length of time it took to fix a vulnerability found in a specific language is of interest. The report dissects these results by specific vulnerabilities but by looking at two of the most common, and most dangerous threats, SQL Injection and Cross-Site Scripting, you can see a rather frightening pattern. These are ranked in order from highest to lowest in the number of days a fix took to patch an XSS vulnerability:
With so many cyber criminals using automated tools to find and attack vulnerable web sites, these numbers are simply unacceptable. While fingers can be pointed at developers, management, executives, etc. the fact remains that tools need to be deployed to protect Web applications against these threats. Code reviews are great and they are the best way to find the source of a vulnerability so that it can be fixed for good, however the data shows that it cannot be the only route an organization takes to secure their web sites or they are as good as compromised. Without tools like Web Application Firewalls to stop attacks before the vulnerabilities can be fixed Web applications will continue to be sitting ducks.