Veracode Reveals Security Flaws
Written by Alex Armstrong   
Tuesday, 12 January 2021

Three-quarters of applications have some sort of security flaw, although high-security flaws are found in only a quarter. PHP is the programming language with the highest prevalence of flaws while Python and JavaScript are the least affected.

These findings come from Veracode which recently brought out the 11th Edition of its annual State of Software Security report.

Veracode has been tracking the prevalence of flaws in applications for ten years. The 2020 result was based on scans of over 130,000 applications. At least one flaw was found in 76% of them and 66% had critical flaws as defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities, from the Open Web Application Security Project. 


Another measure of flaw severity used is the SANS Top 25, a list of the Common Weakness Enumeration's (CWE) most dangerous software errors, and 59% of applications evidenced flaws included on it. 

Only 24% of applications had "High Severity" flaws, defined by Veracode at Level 4 (High) - such as SQL Injection and Unrestricted Upload of File with Dangerous Type - or Level 5 (Very High),  such as OS Command Injection, Eval Injection, Stack-based Buffer Overflow or Incorrect Calculation of Multi-Byte String Length.

The most common flaws found were Information Leakage (66%) which is defined as being at Level 2 - Low, then CRLF Injection (65%) and Cryptographic Issues (64%), both at Level 3 - Medium, followed by Code Quality (60%) mostly ranging from Level 0 to Level 3.

This year an analysis was done of type of vulnerability by language to produce the following heat map:


PHP stands out from this heat map as the language with the highest incidence of flaws, in particular Cross-Site Scripting and Cryptography issues, both Level 3 in terms of severity. C++ and Java have the next highest incidence with Error Handling being the weakness of the former and CRLF Injection that of the latter. Then, close on their heels, is .NET which suffers most from low severity Information Leakage but also, to a minor extent, from high severity SQL Injection. It is JavaScript and Python that stand out as being the cool languages in this heat map.

If you want to know more, not only about the vulnerabilities but also how to remediate them, the Heat Map is available as an interactive resource with the title Beat The Heat where you can click to find out more about any of the vulnerabilities. Here's the results for cross site scripting, a flaw that is almost universal where languages are concerned.


This seems a really useful resource for understanding security defects and for improving safe coding practices.




More Information

State of Software Security Vol 11: Flaw Frequency By Language


Related Articles

State of Software Security (2015)

Ever Increasing Need For Secure Programming

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Rust Twice As Productive As C++

Google director of engineering, Lars Bergstrom, gave a talk at the recent Rust Nation UK conference and claimed that Rust was twice as productive as C++. Given how good Google is at C++, this is quite [ ... ]

Is PHP in Trouble?

The April 2024 headline for the TIOBE Index, which ranks programming languages in terms of their popularity, reads, "Is PHP losing its mojo" asking this question because this month PHP has dropped out [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Wednesday, 22 February 2023 )