On December 3, 2015, Veracode released their bi-annual State of Software Security (SOSS) Report that draws on more than 200,000 application scans and trillions of lines of code. The goal of the report was to analyse how different programming languages and platforms correlate to critical software security issues.
The findings showed that some programming languages are more prone to security risks than others. Here we look at three key takeaways from the report’s supplement.
- Particularly worrying is the fact that PHP exhibits high security risk. Of the applications written in PHP, 86% showed at least 1 cross-site scripting vulnerability, 81% failed to meet OWASP Top 10 standards, and 56% displayed at least 1 SQL injection vulnerability.
- The vast majority of mobile apps suffer from cryptographic issues due to poor crypto implementation by developers. In total, 87% of Android apps and 80% of iOS apps that were scanned for the report displayed cryptographic issues.
- Java and .NET are among the safest languages as their design almost entirely eliminates the risk of buffer overflow. They performed the best in terms of avoiding SQL injection and cross-site scripting attacks.
The findings could be indicative of the accessibility of PHP to new developers when compared to Java and .NET, but it does highlight the importance of carefully considering your development options.