Report: Scripting languages most vulnerable, mobile apps need better crypto
The report, by Boston-based security firm Veracode, was released this morning and is based on Veracode's assessment of more than a trillion lines of code for customers at large and small companies, commercial software suppliers, and open source projects.
Scripting languages lead in vulnerabilities
Overall, scripting languages like PHP had a much higher incidence of vulnerabilities than Java or .NET, said Chris Wysopal, Veracode's CTO and CISO.
"If you have a choice, don't pick a language like PHP," he said. "Unfortunately, developers aren't picking languages based on how secure they are."
In particular, PHP is commonly used for Web applications written to work with content management systems like WordPress, Joomla and Drupal. These three platforms account for more than 30 percent of all websites, according to W3Techs.
"If I was running a development team and I was stuck with PHP -- the decision was made at some point, and we had to use it -- it would be more important for my developers to get security training and look for vulnerabilities in testing," Wysopal said.
For example, scripting languages have a lower pass rate when it comes to the OWASP Top 10 list for web application vulnerabilities. ColdFusion applications, on average, had just a 17 percent pass rate, putting them at the bottom of the list. PHP came in at 19 percent, and Classic ASP at 21 percent.
By comparison, 27 percent of .NET applications passed OWASP, as did 24 percent of Java applications.
Cross-site scripting was the most common vulnerability for each of the three major scripted languages, with 86 percent of all PHP applications being vulnerable, 87 percent of ColdFusion applications, and 83 percent of Classic ASP.
SQL Injections were also common, with 62 percent of ColdFusion applications having this vulnerability, 56 percent of PHP applications, and 64 percent of Classic ASP applications.
According to Veracode, there are fewer security APIs built into Classic ASP, PHP and ColdFusion compared to .NET and Java. That means, for example, that it is more challenging to write code that is safe from SQL Injections.
"I don't think people realize what a difference the choice of language makes," said Wysopal.
Mobile cryptography
When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said.
Specifically, 87 percent of Android applications and 80 percent of iOS applications had cryptographic issues.
"If you're building one of those apps, you'll need to educate your developers on doing crypto effectively," said Wysopal.
In particular, 67 percent of mobile applications had insufficient entropy in their cryptographic algorithms, 50 percent had improper validation of certificates, 41 percent stored sensitive information in clear text, and 40 percent used broken or risky cryptographic algorithms.
"A little bit of developer education on these top four things can make a big difference," he said. "A lot of mobile app developers will say, 'Of course we're encrypting the data in transit.' But a lot of times they're not doing it correctly so it can be easily broken. Writing encryption code is not enough, you have to test it and make sure it's done properly."
In other areas, however, Android and iOS apps had significant differences in areas of vulnerability.
For example, 90 percent of Android apps had problems with code quality -- programming errors not directly linked to any of the top vulnerabilities, but which could still cause logic problems or security holes. But only 14 percent of iOS apps had code quality issues.
Meanwhile, 79 percent of Android apps were vulnerable to CRLF Injection attacks, where attackers insert extra carriage return and line feed characters into data. But CRLF Injections attacks didn't even make the top ten list for iOS vulnerabilities.
Similarly, 84 percent of iOS apps had problems with error handling, but this issue didn't make the top ten list for Android vulnerabilities.
Wysopal suggested that developers use the data in this report so that they know when to pay extra attention to security.
Static and dynamic analysis
There are two basic ways that developers can use automation to find errors in their applications, said Wysopal.
Static analysis simply reads the code and looks for common mistakes.
Dynamic analysis looks at the way that applications actually behave.
"We've heard that developers like dynamic analysis because it's a real, true vulnerability," said Wysopal. "With a static vulnerability, you don't know whether it could actually be exploited in the real world."
However, he said, he was surprised to find out that developers are 28 percent more likely to fix a vulnerability found via static analysis than dynamic analysis.
"I think the reason is that static analysis points to the line of code where the error is," he said. "Dynamic analysis doesn't do that."