Remediation of vulnerabilities vary among programming languages
Remediation of vulnerabilities vary among programming languages

While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP,  the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals.

The 2014 Website Security Statistics Report found that cross-site scripting (XSS) was the top vulnerability found in all languages, except .Net. That programming language was primarily plagued with information leakage, last year's number one vulnerability.

In the report, ColdFusion had the highest rate –11 percent – of SQL injection vulnerabilities, ahead of ASP (with eight percent) and .NET (with six percent). The differences were more narrow – less than 2 percent – among the languages for cross-site request forgery.

Research showed that vulnerabilities stay open for numerous reasons, but the number of days it took to fix them varied from language to language with ASP vulnerabilities staying open the longest – a median of 139 days. PHP was not far behind with vulnerabilities going unfixed for 129.5 days on average. Java's average was far lower at 90.9 days.

When looked at by class, XSS vulnerabilities in particular stayed open the longest in Perl and ASP, averaging 184 and 135 days, respectively. .NET showed only slightly better results, however, with XSS remaining unfixed for an average of 126 days.The study surmised that XSS required quite a bit of effort to address no matter which development language was used.

ColdFusion took the biggest hit when it came to SQL injections, with those vulnerabilities remaining open 107.4 days on average. PHP logged the fewest number of days at 6.8, followed by Perl at 19.4 days.

WhiteHat noted that the vulnerability logging the highest number of days open, on average, was weak password recovery validation in ASP Websites. That could be attributed to “the complexities of the language itself, programming experience necessary, or simply that this vulnerability class is not a priority in that environment,” the report said.