Four out of five applications written in popular web scripting languages contain at least one of the critical risks in an industry-standard security benchmark, according to a report from Veracode.
Veracode’s analytics show that 86% of PHP-based applications contain at least one cross-site scripting (XSS) vulnerability and 56% have at least one SQL injection (SQLi) vulnerability.
XSS and SQLi are among the top 10 most critical web application security risks identified by the Open Web Application Security Project (Owasp).
The findings raise concern over potential security vulnerabilities in millions of websites, according to Veracode’s Supplement to the 2015 State of Software Security report.
According to the code analysis firm, the size of the risk is underlined by the volume of PHP applications developed for the top three content management systems (CMS) – WordPress, Drupal and Joomla – which represent more than 70% of the CMS market.
These vulnerability trends are also seen across the wider family of web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared with more modern languages such as .NET and Java.
Veracode’s cloud-based platform has assessed more than a trillion lines of code for critical vulnerabilities that can lead to large-scale breaches.
The 2015 report captures data collected over the past 18 months from more than 200,000 automated assessments performed for Veracode’s customers across a range of industries and geographies.
As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to the Sans Institute, less than 26% of organisations have mandated, ongoing secure coding education programmes.
Organised by programming language type, Veracode’s supplement to the 2015 State of Software Security Report is aimed at helping organisations plan for application development, as well as prioritise assessment and remediation activities.
Web script language changes security
The supplementary report found that the design of a language matters when it comes to security.
The report notes that some languages are designed from the ground up to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely vulnerabilities dealing with memory allocation (such as buffer overflows). Similarly, the default behaviours of some ASP.NET controls avoid common issues related to cross-site scripting.
The supplementary report found that the operating environment of the language also matters to security.
Some vulnerabilities are only relevant in certain execution environments. For instance, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with a plethora of always-on networking capabilities.
Another key finding of the supplementary report is that mobile development project teams need to focus on encryption.
Veracode’s analysis found that 87% of Android apps and 80% of iOS apps contained cryptographic issues. The report said this suggests that while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. The report said this is particularly concerning, given the rapid adoption of mobile applications in the healthcare industry.
“When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them,” said Chris Wysopal, Veracode chief information security officer and chief technology officer.
“The data in this report can inform decisions around language selection, developer training and which assessment techniques to use to make the inevitable remediation process less onerous,” he said.
Veracode said the data also indicates that developer education through eLearning services has a big impact on reducing application-layer risk.
According to the firm, development organisations that use Veracode’s eLearning services improve the security of their code by 30%, compared with those without a formal educational programme.
Veracode’s reports are based on continuously updated information from Veracode’s cloud-based platform, with data coming from actual code-level analysis of billions of lines of code across a range of industries and geographies.