While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP, the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals.
The 2014 Website Security Statistics Report found that cross-site scripting (XSS) was the top vulnerability found in all languages, except .Net. That programming language was primarily plagued with information leakage, last year's number one vulnerability.
In the report, ColdFusion had the highest rate –11 percent – of SQL injection vulnerabilities, ahead of ASP (with eight percent) and .NET (with six percent). The differences were more narrow – less than 2 percent – among the languages for cross-site request forgery.
Research showed that vulnerabilities stay open for numerous reasons, but the number of days it took to fix them varied from language to language with ASP vulnerabilities staying open the longest – a median of 139 days. PHP was not far behind with vulnerabilities going unfixed for 129.5 days on average. Java's average was far lower at 90.9 days.
When looked at by class, XSS vulnerabilities in particular stayed open the longest in Perl and ASP, averaging 184 and 135 days, respectively. .NET showed only slightly better results, however, with XSS remaining unfixed for an average of 126 days.The study surmised that XSS required quite a bit of effort to address no matter which development language was used.
ColdFusion took the biggest hit when it came to SQL injections, with those vulnerabilities remaining open 107.4 days on average. PHP logged the fewest number of days at 6.8, followed by Perl at 19.4 days.
WhiteHat noted that the vulnerability logging the highest number of days open, on average, was weak password recovery validation in ASP Websites. That could be attributed to “the complexities of the language itself, programming experience necessary, or simply that this vulnerability class is not a priority in that environment,” the report said.
Calling remediation rate the “key accountability metric in any web application security program,” the study found that, at 74.3 percent, ColdFusion has the best overall remediation rates, while PHP had the lowest observable remediation rates and Perl had the longest remediation time, 265 days, of XSS.
“We did not expect to see the remediation rates of ASP Classic on par with .Net and Java,” Gabe Gumbs, director of solutions architecture at WhiteHat and the co-author of this year's report, told SCMagazine in an email correspondence. “This suggests that while these applications could not be retired, measured decisions were being made to keep address the vulnerabilities found within.”
The study said that, while XSS is affected by language choice, it can be managed through regular assessments and focused remediation. Researchers contend that companies should not rely on frameworks to provide protection. To better protect themselves, Gumbs recommended that “organizations need to do away with the ‘find and fix' approach to vulnerability assessment and instead adopt a risk-based approach that leverages a clear management method for application security and that relies on quantifying risk in dollars and cents as the main drivers for security decisions.”
The study also advocated including application security into existing information governance frameworks, saying that it “is vital for the reduction in the risk that is inherent in web applications.”