Top Programming Languages That Generate Most Software Security Bugs

Short Bytes: In the past, time and again, people have called the scripting languages a root cause of software vulnerability and the latest Veracode results prove the same. Using a unique metric called Flaw Density per MB, Veracode has found that PHP is one of the major causes of software vulnerabilities.

If we start investigating the root cause of the increasing vulnerabilities in CMS platforms like WordPress and Drupal, we’ll find that the root cause is their scripting language PHP. So, in order to find the languages that spawn most software bugs, security firm Veracode has analyzed 208,670 applications in the past two years and released the results.

The study methodology uses a unique metric called Flaw Density per MB. This measures the number of security issues found in each MB of source code. The report suggests that about 86% of the applications written in PHP have at least on XSS vulnerability and 56% of them have at lease one SQL injection bug.

Below is the list of top 10 programming languages that generate most software security bug:

• Classic ASP – with 1,686 flaws/MB (1,112 critical flaws/MB)
• ColdFusion – with 262 flaws/MB (227 critical flaws/MB)
• PHP – with 184 flaws/MB (47 critical flaws/MB)
• Java – with 51 flaws/MB (5.2 critical flaws/MB)
• .NET – with 32 flaws/MB (9.7 critical flaws/MB)
•  C++ – with 26 flaws/MB (8.8 critical flaws/MB)
•  iOS – with 23 flaws/MB (0.9 critical flaws/MB)
• Android – with 11 flaws/MB (0.4 critical flaws/MB)
• JavaScript – with 8 flaws/MB (0.09 critical flaws/MB)

It should be noted that PHP, being the most popular language among the top 3, is the actual leader. Calling the SQL injections a result of problems in PHP, Chris Wysopal, founder and CTO of Veracode, says, “When I see a breach, one of the things that sticks out in my head is ‘I’ll bet that was a PHP site.”

In the past, time and again, people have called the scripting languages a root cause of software vulnerability and the Veracode results prove the same.

“In particular, note that applications in truly compiled application languages like C/C++ and Objective C (iOS) have a higher OWASP pass rate than general-purpose bytecode languages like Java or .NET, while scripting languages like Classic ASP, ColdFusion and PHP have a far lower pass rate,” Veracode team notes in their report.

For more, read the complete report by Vercode’s State of Software Security Report.