Report: Scripting languages most vulnerable, mobile apps need better crypto

According to an analysis of over 200,000 applications, PHP is the language with the most vulnerabilities, and mobile apps suffer from cryptography problems

According to an analysis of over 200,000 applications, PHP is the programming language with the most vulnerabilities, mobile apps suffer from cryptography problems, and developers are more likely to fix errors found with static instead of dynamic analysis.

The report, by Boston-based security firm Veracode, was released this morning and is based on Veracode's assessment of more than a trillion lines of code for customers at large and small companies, commercial software suppliers, and open source projects.

Scripting languages lead in vulnerabilities

Overall, scripting languages like PHP had a much higher incidence of vulnerabilities than Java or .NET, said Chris Wysopal, Veracode's CTO and CISO.

"If you have a choice, don't pick a language like PHP," he said. "Unfortunately, developers aren't picking languages based on how secure they are."

In particular, PHP is commonly used for Web applications written to work with content management systems like WordPress, Joomla and Drupal. These three platforms account for more than 30 percent of all websites, according to W3Techs.

"If I was running a development team and I was stuck with PHP -- the decision was made at some point, and we had to use it -- it would be more important for my developers to get security training and look for vulnerabilities in testing," Wysopal said.

For example, scripting languages have a lower pass rate when it comes to the OWASP Top 10 list for web application vulnerabilities. ColdFusion applications, on average, had just a 17 percent pass rate, putting them at the bottom of the list. PHP came in at 19 percent, and Classic ASP at 21 percent.

By comparison, 27 percent of .NET applications passed OWASP, as did 24 percent of Java applications.

Cross-site scripting was the most common vulnerability for each of the three major scripted languages, with 86 percent of all PHP applications being vulnerable, 87 percent of ColdFusion applications, and 83 percent of Classic ASP.

SQL Injections were also common, with 62 percent of ColdFusion applications having this vulnerability, 56 percent of PHP applications, and 64 percent of Classic ASP applications.

According to Veracode, there are fewer security APIs built into Classic ASP, PHP and ColdFusion compared to .NET and Java. That means, for example, that it is more challenging to write code that is safe from SQL Injections.

"I don't think people realize what a difference the choice of language makes," said Wysopal.

Mobile cryptography

When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said.

Specifically, 87 percent of Android applications and 80 percent of iOS applications had cryptographic issues.

"If you're building one of those apps, you'll need to educate your developers on doing crypto effectively," said Wysopal.

In particular, 67 percent of mobile applications had insufficient entropy in their cryptographic algorithms, 50 percent had improper validation of certificates, 41 percent stored sensitive information in clear text, and 40 percent used broken or risky cryptographic algorithms.

"A little bit of developer education on these top four things can make a big difference," he said. "A lot of mobile app developers will say, 'Of course we're encrypting the data in transit.' But a lot of times they're not doing it correctly so it can be easily broken. Writing encryption code is not enough, you have to test it and make sure it's done properly."

In other areas, however, Android and iOS apps had significant differences in areas of vulnerability.

For example, 90 percent of Android apps had problems with code quality -- programming errors not directly linked to any of the top vulnerabilities, but which could still cause logic problems or security holes. But only 14 percent of iOS apps had code quality issues.

Meanwhile, 79 percent of Android apps were vulnerable to CRLF Injection attacks, where attackers insert extra carriage return and line feed characters into data. But CRLF Injections attacks didn't even make the top ten list for iOS vulnerabilities.

Similarly, 84 percent of iOS apps had problems with error handling, but this issue didn't make the top ten list for Android vulnerabilities.

Wysopal suggested that developers use the data in this report so that they know when to pay extra attention to security.

Static and dynamic analysis

There are two basic ways that developers can use automation to find errors in their applications, said Wysopal.

Static analysis simply reads the code and looks for common mistakes.

Dynamic analysis looks at the way that applications actually behave.

"We've heard that developers like dynamic analysis because it's a real, true vulnerability," said Wysopal. "With a static vulnerability, you don't know whether it could actually be exploited in the real world."

However, he said, he was surprised to find out that developers are 28 percent more likely to fix a vulnerability found via static analysis than dynamic analysis.

"I think the reason is that static analysis points to the line of code where the error is," he said. "Dynamic analysis doesn't do that."

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place