Some 80% of applications written in PHP, Classic ASP and ColdFusion failed at least one of the OWASP Top 10, according to new research conducted by Veracode.
The app security firm today released a supplement to its State of Software Security: Focus on Application Development report, covering automated assessments for 208,670 separate apps over the past 18 months.
It found that applications written in web scripting languages are much more likely to contain vulnerabilities than those written in .NET or Java.
In fact, 64% of apps written in Classic ASP, 62% of those written in ColdFusion, and 56% of PHP apps were found to have at least one SQL injection vulnerability, compared to just 29% of .NET applications and 21% of Java apps.
This is particularly worrying considering the large number of web apps sitting on top of PHP-based content management platforms like WordPress and Drupal, Veracode claimed.
In fact, WordPress is notorious for frequently being targeted by hackers. Just last week researchers warned of a spike in compromises on the popular blogging platform designed to load the infamous Angler Exploit Kit.
The report also revealed that mobile applications had the highest rate of cryptographic problems—87% for Android and 80% for iOS.
This highlights the fact that few mobile developers know how to implement cryptography correctly—again a concern considering the large and growing volume of mobile apps working their way into various verticals.
Veracode also argued that ‘white box’ or static analysis (SAST) is likely to result in a 28% higher fix rate than vulnerabilities found by ‘black box’ or dynamic analysis (DAST).
The vendor’s principal solution architect, John Smith, argued that the data in this report could help developers and security teams better anticipate common vulnerabilities and take steps to mitigate them.
“For instance, in a project that is producing PHP-based applications it would make sense to take greater care to check for Cross-Site Scripting (XSS) and SQL injection vulnerabilities due to the high prevalence in apps using this language (86% and 56% respectively),” he told Infosecurity by email.
“Education is key for producing more secure code so providing clear coding guidance and training to the developers for defending against these flaws will ensure that safer applications are delivered. It is the responsibility of security experts to share relevant information and developers to apply that to their work to significantly reduce web and mobile application threats.”
Photo © Mclek