Experts of the company Veracode submitted a report, on which work took them one and a half years. During this time, experts have studied more than 200 000 different applications trying to determine how the situation with security in the sphere of development. The output will get interesting statistics. Vulnerabilities in Web applications are largely the fault of scripting languages.
After studying hundreds of thousands of programs written in languages PHP, Java, JavaScript, Ruby, .NET, C and C ++, Microsoft Classic ASP, COBOL, as well as applications for Android and iOS, the researchers concluded that the most unsafe can be considered languages PHP, Classic ASP and ColdFusion. The most reliable proved to Java and .NET.
Anti-top as follows. When reporting experts Veracode own unique metric used - Flaw Density per MB, that is, the number of bugs per megabytes of source code.
• Classic ASP - 1686 Bug / MB (1112 Critical)
• ColdFusion - 262 Bug / MB (227 Critical)
• PHP - Bug 184 / MB (47 critical)
• Java - 51 Bug / MB (5.2 critical)
• .NET - Bug 32 / MB (9.7 critical)
• C ++ - 26 Bug / MB (8.8 critical)
• iOS - 23 Bug / MB (0.9 critical)
• Android - Bug 11 / MB (0.4 critical)
• JavaScript - 8 Bug / MB (0.9 critical)
In fact, it can be assumed that the list of the most vulnerable heads of languages PHP, ColdFusion because it is a niche tool, and Classic ASP is almost dead.
If you look at the problem of PHP in more detail, it appears as follows:
• 86% of applications written in PHP, containing at least one XSS vulnerability;
• 56% are subject to a bug SQLi, and this is one of the easiest to use vulnerabilities in web applications;
• 67% of the applications allow a directory traversal;
• 61% of the applications allow a code injection;
• 58% of applications have problems with credential management;
• 73% of applications contain errors cryptography;
• 50% of the applications may leak information.
It is worth noting that the vulnerability SQLi and XSS are among the ten most dangerous bugs in Web applications, according to the Open Web Application Security Project (OWASP).