Short Bytes: In the past, time and again, people have called the scripting languages a root cause of software vulnerability and the latest Veracode results prove the same. Using a unique metric called Flaw Density per MB, Veracode has found that PHP is one of the major causes of software vulnerabilities.
The study methodology uses a unique metric called Flaw Density per MB. This measures the number of security issues found in each MB of source code. The report suggests that about 86% of the applications written in PHP have at least on XSS vulnerability and 56% of them have at lease one SQL injection bug.
Below is the list of top 10 programming languages and platforms that generate most software security bug:
- Classic ASP – with 1,686 flaws/MB (1,112 critical flaws/MB)
- ColdFusion – with 262 flaws/MB (227 critical flaws/MB)
- PHP – with 184 flaws/MB (47 critical flaws/MB)
- Java – with 51 flaws/MB (5.2 critical flaws/MB)
- .NET – with 32 flaws/MB (9.7 critical flaws/MB)
- C++ – with 26 flaws/MB (8.8 critical flaws/MB)
- iOS – with 23 flaws/MB (0.9 critical flaws/MB)
- Android – with 11 flaws/MB (0.4 critical flaws/MB)
It should be noted that PHP, being the most popular language among the top 3, is the actual leader. Calling the SQL injections a result of problems in PHP, Chris Wysopal, founder and CTO of Veracode, says, “When I see a breach, one of the things that sticks out in my head is ‘I’ll bet that was a PHP site.”
Find your dream job
In the past, time and again, people have called the scripting languages a root cause of software vulnerability and the Veracode results prove the same.
“In particular, note that applications in truly compiled application languages like C/C++ and Objective C (iOS) have a higher OWASP pass rate than general-purpose bytecode languages like Java or .NET, while scripting languages like Classic ASP, ColdFusion and PHP have a far lower pass rate,” Veracode team notes in their report.
For more, read the complete report by Vercode’s State of Software Security Report.
Add your views in the comments below.