Research shows vulnerabilities go unfixed longer in ASP

Share this article:
Sally Beauty confirms that customer data was accessed in breach
Remediation of vulnerabilities vary among programming languages

While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP,  the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals.

The 2014 Website Security Statistics Report found that cross-site scripting (XSS) was the top vulnerability found in all languages, except .Net. That programming language was primarily plagued with information leakage, last year's number one vulnerability.

In the report, ColdFusion had the highest rate –11 percent – of SQL injection vulnerabilities, ahead of ASP (with eight percent) and .NET (with six percent). The differences were more narrow – less than 2 percent – among the languages for cross-site request forgery.

Research showed that vulnerabilities stay open for numerous reasons, but the number of days it took to fix them varied from language to language with ASP vulnerabilities staying open the longest – a median of 139 days. PHP was not far behind with vulnerabilities going unfixed for 129.5 days on average. Java's average was far lower at 90.9 days.

When looked at by class, XSS vulnerabilities in particular stayed open the longest in Perl and ASP, averaging 184 and 135 days, respectively. .NET showed only slightly better results, however, with XSS remaining unfixed for an average of 126 days.The study surmised that XSS required quite a bit of effort to address no matter which development language was used.

ColdFusion took the biggest hit when it came to SQL injections, with those vulnerabilities remaining open 107.4 days on average. PHP logged the fewest number of days at 6.8, followed by Perl at 19.4 days.

WhiteHat noted that the vulnerability logging the highest number of days open, on average, was weak password recovery validation in ASP Websites. That could be attributed to “the complexities of the language itself, programming experience necessary, or simply that this vulnerability class is not a priority in that environment,” the report said.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.