In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
2. Founded in 2001
• 125+ web security
experts: world’s largest
security experts
• 30,000s of
assessments: currently
running at this moment
• Security leader:
Gartner Magic Quadrant
3. Title: iCEO
Info: 15 years in
Info Security
Fun fact: Brazillian
Jiu-Jitsu Black Belt
Jeremiah Grossman
4. What I’ll discuss today…
• Overall key findings
• Average vulnerabilities: security posture
• Median days open by vulnerability class
• Vulnerability class by language
• Industry analysis
• Recommendations/takeaways
– How to use this report based on job role
5. Déjà Vu
• Numerous report conclusions all point to
the need for more secure software
– Verizon Data Breach Report
– FireHost “Superfecta” Attack Report
• Cyber insurance claims reaching as high
as $20 million, with an average payout of
just above $900,000
6. Big Questions
• Are some programming languages more
secure than others?
• What are the prevalent threats per
programming language?
• What are the prevalent threats per
industry?
7. • 30,000 websites in all
different verticals
• Purely from WHS
assessing w/ Sentinel
• Because we focused
on programming
language
About the Data
11. • Risk exposure does not vary widely
between languages, as language choice
does not affect number of vulnerabilities.
• We will take a look at risk exposure and
remediation rates further into the
discussion.
Risk exposure
13. Vulnerabilities Found per
Language
What does this mean?
.NET
JAVA
ASP
PHP
ColdFusion
Perl
5% 10% 15% 20% 25% 30% 40% 50%
(*Larger consequently more vulnerable)
15. Median Days Open - XSS
• XSS vulnerabilities appear to take a relative
amount of effort to fix regardless of the
language.
• Median days open by language
– Perl open for median 184 days
– ASP 135
– .Net 126
– PHP 49
16. Median Days Open - SQLi
• PHP stood out from the pack with the
lowest median days 6.8
• Median days open by language
– ColdFusion open for median 107.4 days
– ASP 97.5
– Java 64.8
– .Net 51.4
– Perl 19.4
17. • ASP vulnerabilities remain open the
longest at 139 days
• ColdFusion has the largest days open for
SQLi at 107
• Languages with the most security controls
are taking the longest to remediate. Why?
Rounding Out the Top 5
31. • What is it?
• Why is it important?
• How do you measure risk?
Risk Based
Approach
32. How to Use This Report
• If you are a
– Developer
– Security Staff
– Security and/or Development Manager
33. • Are some programming languages more
secure than others?
• What are the prevalent threats per
programming language?
• What are the prevalent threats per
industry?
Big Questions…Answered