Veracode Reveals Security Flaws
Written by Alex Armstrong   
Tuesday, 12 January 2021

Three-quarters of applications have some sort of security flaw, although high-security flaws are found in only a quarter. PHP is the programming language with the highest prevalence of flaws while Python and JavaScript are the least affected.

These findings come from Veracode which recently brought out the 11th Edition of its annual State of Software Security report.

Veracode has been tracking the prevalence of flaws in applications for ten years. The 2020 result was based on scans of over 130,000 applications. At least one flaws was found in 76% of them and 66% had critical flaws as defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities, from the Open Web Application Security Project. 

vcflaws

Another measure of flaw severity used is the SANS Top 25, a list of the Common Weakness Enumeration's (CWE) most dangerous software errors, and 59% of applications evidenced flaws included on it. 

Only 24% of applications had "High Severity" flaws, defined by Veracode at Level 4 (High) - such as SQL Injection and Unrestricted Upload of File with Dangerous Type - or Level 5 (Very High),  such as OS Command Injection, Eval Injection, Stack-based Buffer Overflow or Incorrect Calculation of Multi-Byte String Length.

The most common flaws found were Information Leakage (66%) which is defined as being at Level 2 - Low, then CRLF Injection (65%) and Cryptographic Issues (64%), both at Level 3 - Medium, followed by Code Quality (60%) mostly ranging from Level 0 to Level 3.

This year an analysis was done of type of vulnerability by language to produce the following heat map:

vcheatmap

PHP stands out from this heat map as the language with the highest incidence of flaws, in particular Cross-Site Scripting and Cryptography issues, both Level 3 in terms of severity. C++ and Java have the next highest incidence with Error Handling being the weakness of the former and CRLF Injection that of the latter. Then, close on their heels, is .NET which suffers most from low severity Information Leakage but also, to a minor extent, from high severity SQL Injection. It is JavaScript and Python that stand out as being the cool languages in this heat map.

If you want to know more, not only about the vulnerabilities but also how to remediate them, the Heat Map is available as an interactive resource with the title Beat The Heat where you can click to find out more about any of the vulnerabilities. Here's the results for cross site scripting, a flaw that is almost universal where languages are concerned.

vcposter

This seems a really useful resource for understanding security defects and for improving safe coding practices.

 

veracodesq

 

More Information

State of Software Security Vol 11: Flaw Frequency By Language

Veracode

Related Articles

State of Software Security (2015)

Ever Increasing Need For Secure Programming

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Azure Functions 4 Adds .NET 6 Support
07/10/2021

Azure Functions 4 has been announced with the main improvement in the new version being support for .NET 6. The new release is now in public preview.



Democratizing Spatial AI With OAK-D-Lite
29/09/2021

After its resounding success with a Kickstarter Campaign last year for OAK its Depth Sensing  AI Kit, OpenCV has returned with a new Kickstarter, this time for OAK-D-Lite, a smaller device t [ ... ]


More News
 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 12 January 2021 )