The web programming language you pick doesn't dictate your website's security: New data on website vulnerabilities shows that no one platform is more secure than another.
WhiteHat Security's 2014 Website Security Statistics Report published today concludes that .NET accounts for over 28% of websites, followed by Java (25%), and ASP (16%) among more than 30,000 websites. "No languages were more secure than others," says Gabriel Gumbs, a director in WhiteHat Security's solutions architecture group and the lead researcher for the report. Bottom line: There was no major difference in the number of vulnerabilities found among websites using the various languages.
.NET had an average of 11.36 vulnerabilities, followed by Java (11.32), ASP (10.98), Perl (7), and ColdFusion (6).
The report also shows that website security is not improving overall. While website operators are doing a better job at remediating flaws, their applications over time don't necessarily become more bug-free. "In the same breath, new applications are not showing any major improvements over the applications we see year over year. It's about the same, and that's moving backwards," says Gumbs. "The new stuff they are developing isn't necessarily more secure."
Gumbs says that could be the result of new functions or features that introduce complexity, and per usual, more security flaw possibilities.
Chris Eng, vice president of research at Veracode, says WhiteHat's report basically jibes with his company's own data on software vulnerabilities. Its numbers were similar when it came to remediating flaws, for instance, he says. "In our data, we see that certain categories [of bugs] are getting fixed reasonably quickly," says Eng, whose company scans vendors' and other developers' software code for flaws via a cloud-based service.
WhiteHat's Gumbs, meanwhile, says the report's data on legacy applications was most telling. "Their remediation rates were on par with all new applications," he says, pointing to the older ASP platform popular in the financial and insurance industries, according to WhiteHat data.
"A lot of applications you simply can't get rid of," he says.
The most prevalent vulnerability was cross-site scripting, which made a comeback to the top spot after losing its top ranking to information leakage last year. The other four in this year's top five (in order) were information leakage, content spoofing, HTTP response splitting, and predictable resource allocation.
"People are not picking languages based on security implications. That's true and will continue to be true. It's where developers have skillsets and what can get the functionality done," Eng says. "Security is going to be fifth or sixth on the list."
The full WhiteHat report is available for download here.