Press Releases :: WhiteHat Security Reveals Relative Security of Web Programming Languages in 2014 Website Security Statistics Report
SANTA CLARA, Calif. – April 15, 2014 – WhiteHat Security, the Web security company, today announced the latest edition of the WhiteHat Security Website Security Statistics Report, which takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more.
“Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done,” said Jeremiah Grossman, founder and iCEO of WhiteHat Security. “How secure the language might be is simply an afterthought, which is usually too late.
“As an industry we lack sufficient security data that teams can rely on in the language selection process for their project,” continued Grossman. “This report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications.”
WhiteHat researchers examined the vulnerability assessment results of the more than 30,000 websites under WhiteHat Security management to measure how the underlying programming languages and frameworks perform in the field. With that information, the report yields key findings around which languages are most prone to which classes of attack, for how often and how long as well as a determination as to whether or not popular modern languages and frameworks yield similar results in production websites.
New vs. Legacy Languages
The popularity and complexity of .Net, Java and ASP, mean that the potential attack surfaces for each language is larger; as such, 31% of vulnerabilities were observed in .Net, 28% were found in Java and 15% were found in ASP.
From there, WhiteHat researchers had these key observations:
From a vulnerability class perspective, the research team made these discoveries:
Other interesting remediation statistics:
Although the team found that no industry has an even breakdown, there are trends amongst industries, when it comes to language choice:
“Ultimately we believe that just as language choice begins at the architecture and design stage of application development, security must begin here as well,” said Grossman. “Understanding the impact of those decisions early will help address the management of the risk later on. Furthermore, ensuring that software is tested in all phases of development - including code reviews of web services – all the way through until the application is decommissioned is critical. We will not achieve a truly secure Web until this becomes standard operating procedure for all applications across the board.”
* WhiteHat Security defines the boundaries of a web application as a “slot.” The research data was derived from slots that had at least three completed assessments.
About WhiteHat Security
Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for application security. The company’s cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete application security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, currently manages thousands of websites – including sites in highly regulated industries, such as e-commerce, financial services and healthcare companies. For more information, visit www.whitehatsec.com.