Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Top Programming Languages That Spawn the Most Security Bugs (softpedia.com)

Posted by Soulskill on from the prepared-to-not-be-surprised dept.

An anonymous reader writes: Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.

4 of 241 comments (clear)

  1. normalized? by Anonymous Coward · · Score: 5, Insightful

    The Internet is a lot bigger now, so you'd expect more discovered PHP bugs than ColdFusion bugs.

    Coming up next, there are more operating systems written in C than Fortran, so you will find more root privilege escalations in C than Fortran.

  2. Re:Are all ten of them Java? by tompaulco · · Score: 5, Interesting

    Just wondering.

    Java is the 4th highest, with about 2% of the flaws found being Java. I'm really shocked that Java shows up higher on the list than Javascript. If ever there was a language where people copy and paste somebodiy's working code and try to mangle it to work for their own purposes with no understanding of the actual language or security thereof, it is Javascript.

    --
    If you are not allowed to question your government then the government has answered your question.
  3. Re:What's a "programming language"? by tjarrett · · Score: 5, Informative

    I'm an author of this report, so thought I'd offer some feedback.

    First, the iOS applications that Veracode scans are written in Objective C (and probably some C or C++). And the Android apps are written in Java. (Yes, you can write iOS and Android apps using portability frameworks like PhoneGap; we separate those findings out into a separate category.) We used iOS and Android as shorthand so that (a) readers would more readily make the connection with what ObjectiveC meant, and (b) we could separate Java used in Android, which has a distinctive risk landscape, from Java used in other applications.

    Second, we choose to report on application prevalence, or the number of applications showing at least one of the vulnerability, rather than number of vulnerability occurrences. The application prevalence metric is more meaningful when talking about the overall risk of a large number of applications. There is value in the vulnerability prevalence metric, when it comes to planning remediation effort, but for this study we focused on the former.

    Third, we do report average flaw density metrics in the appendix of the study, along with a discussion of some of the limitations of this metric. I suggest reviewing the actual study (it's only about 20 pages) and then posting any additional questions.

    Thanks for the questions and keep them coming.

  4. Re:The problem is not the language, it is the code by xxxJonBoyxxx · · Score: 5, Informative

    >> above will allow you to take the user entered name and put it into a SQL query without fear of little Bobby Tables wrecking havoc with your systems

    [FACEPALM/] That's not even "checking user input" (i.e., making sure the user submitted an expected response) - that's "mindless scrubbing of a single naughty character."

    Please send me a couple of the URLs where your apps live and I'll just go get the rest of I want from there.