Veracode Reveals Security Flaws
Written by Alex Armstrong   
Tuesday, 12 January 2021

Three-quarters of applications have some sort of security flaw, although high-security flaws are found in only a quarter. PHP is the programming language with the highest prevalence of flaws while Python and JavaScript are the least affected.

These findings come from Veracode which recently brought out the 11th Edition of its annual State of Software Security report.

Veracode has been tracking the prevalence of flaws in applications for ten years. The 2020 result was based on scans of over 130,000 applications. At least one flaw was found in 76% of them and 66% had critical flaws as defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities, from the Open Web Application Security Project. 


Another measure of flaw severity used is the SANS Top 25, a list of the Common Weakness Enumeration's (CWE) most dangerous software errors, and 59% of applications evidenced flaws included on it. 

Only 24% of applications had "High Severity" flaws, defined by Veracode at Level 4 (High) - such as SQL Injection and Unrestricted Upload of File with Dangerous Type - or Level 5 (Very High),  such as OS Command Injection, Eval Injection, Stack-based Buffer Overflow or Incorrect Calculation of Multi-Byte String Length.

The most common flaws found were Information Leakage (66%) which is defined as being at Level 2 - Low, then CRLF Injection (65%) and Cryptographic Issues (64%), both at Level 3 - Medium, followed by Code Quality (60%) mostly ranging from Level 0 to Level 3.

This year an analysis was done of type of vulnerability by language to produce the following heat map:


PHP stands out from this heat map as the language with the highest incidence of flaws, in particular Cross-Site Scripting and Cryptography issues, both Level 3 in terms of severity. C++ and Java have the next highest incidence with Error Handling being the weakness of the former and CRLF Injection that of the latter. Then, close on their heels, is .NET which suffers most from low severity Information Leakage but also, to a minor extent, from high severity SQL Injection. It is JavaScript and Python that stand out as being the cool languages in this heat map.

If you want to know more, not only about the vulnerabilities but also how to remediate them, the Heat Map is available as an interactive resource with the title Beat The Heat where you can click to find out more about any of the vulnerabilities. Here's the results for cross site scripting, a flaw that is almost universal where languages are concerned.


This seems a really useful resource for understanding security defects and for improving safe coding practices.




More Information

State of Software Security Vol 11: Flaw Frequency By Language


Related Articles

State of Software Security (2015)

Ever Increasing Need For Secure Programming

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Does AI Copy Code - Lawsuit Says No

Are we worried about AI code assistants? Well some of us were worried and offended enough to take GitHub/ Microsoft and Open AI to court over code copying by GitHub Copilot. But the judge came down on [ ... ]

Google AI Training on Udacity and Coursera

Google now offers a free 2-hour course introducing Google AI Studio and the Gemini API on Udacity. In addition, until early August, enrolling on a Google Professional Certificate on Coursera [ ... ]

More News

kotlin book



or email your comment to:

Last Updated ( Wednesday, 22 February 2023 )