New research has highlighted the primary weaknesses that need to be looked out for in writing code in .NET, C++, Java, JavaScript, PHP or Python.
Veracode, a static code analysis security firm, released numbers on the kind of weaknesses most seen in the 130,000 apps it scanned for security purposes. It scanned apps written in .NET, C++, Java, JavaScript, PHP or Python and the numbers were compiled in its State of Software Security volume 11 report.
For the most used language in front-end development; JavaScript, Veracode discovered that 31.5% of the apps have at least one cross-site scripting (XSS) flaw and found that 74.6% of apps written in PHP have at least one XSS flaw. Also, 71% of PHP apps have cryptographic problems.
Leakage of information is the main challenge for applications written in .NET, found in 62.8% of .NET apps. For C++, the main issue there is error handling, found in 66.5% of the apps.
The main flaw found in Java apps is Carriage Return or Line Feed or CRLF injection, found in 64.4% of them. Lastly, for Python apps, the main security challenge found in 35% of them is linked to cryptography.
There is a big difference between the severity of flaws present in the apps in each language. Veracode discovered that 59% of apps written in PHP possess high-severity. It also found that 9.6% of apps written in JavaScript have high-severity flaws. 24% is the figure for high-severity flaw for Java.
The Chief Research Officer of Veracode, Chris Eng explained the reason why the weaknesses in apps written in different languages are happening and how to make sure they don’t become too costly to fix.
‘When we look at the overall numbers, as an industry, we haven’t eradicated any category of flaw over the past 10 years. Nothing has completely gone away. A lot of things are fluctuating but when you look at the averages, it tends to reflect more on the change in language choice and language popularity more than anything else’.
‘We see buffer overflows that are common in C++ are trending down, not so much because we’ve gotten better as developers at reducing those issues, but because C++ is becoming less prevalent’, Eng says.
However, the challenges affecting JavaScript and Python are increasing because JavaScript is very popular currently, Eng notes. Java and .NET are most popular across the enterprise.
PHP is one of the most used scripting languages for web application development, but Eng says the higher amount of weaknesses in PHP code is as a result of the language providing so many dangerous primitives and there are plenty ways to do things wrong.
‘.NET was one of the first ones to make it a little harder to shoot yourself in the foot’, explains Eng.
‘You have safer defaults around the APIs and you see it’s a lot harder to make a cross-site scripting mistake or a SQL injection mistake in .NET than it is in PHP, where it will be default― unless you happen to be using one of these more modern frameworks that might provide more protections for you― there’s just a lot of ways you can mess up’.
Although Veracode discovered lesser flaws in the JavaScript apps it examined, the large npm ecosystem of open-source libraries for JavaScript and node.js is a possible weakspot regardless of JavaScript’s safer defaults.
‘Even if you were to go and fix all the vulnerabilities you’ve coded yourself, you still have a pretty wide variety of third-party libraries’, says Eng.
‘Patching is really not as good as you would hope it would be. The trend is that developers download the latest version of the library at the time they need it and then they never update it again, unless something functionality-wise breaks.’
How can engineering and product teams keep the struggle and expense of patching key applications down? Eng advises to stay up to date and be conscious of how much tech and security debt has been built up in an app over time. At some point, the app will need fixing or patching and that is inclusive of language updates and patches to key libraries.
‘If I’m version on 4.5 and version 4.6 comes out, I can apply that patch with very little chance of anything breaking functionality-wise. No open-source library is coming to make a major change to the library in a minor version. Now, if you’re on version 2 and then you have to upgrade to version 4.6, there’s gonna be a lot of pain’, Eng says.
The particular problem about updating libraries could be bigger for JavaScript via the large npm ecosystem, but there are also vast ecosystems around Java with Maven and Python with PyPI.
Eng states that the average JavaScript application has about 400 dependencies. If you go up to the 90th percentile, they can have 1,000 or 2,000 dependencies.
Snyk, an application security firm recently explained how a lot of the security bugs affecting JavaScript, Ruby, Java, PHP and Python are due to indirect dependencies of principal components loaded inside a project.
There are some happening JavaScript libraries being use for like 80-90% of the JavaScript apps out there.
‘Any time there’s a vulnerability in one of these packages, you inherit that risk. And it’s not just security risk’, Eng says.
He also refers to the case of the left-pad JavaScript library which a developer removed from npm in 2016 after a dispute.
‘It disappears off GitHub and suddenly, two-thirds of the internet breaks because they were depending on this four-line library to determine whether a number was left-padded with zeros’.
By Marvellous Iwendi
Source: ZDNet