informa
2 MIN READ
Quick Hits

Security Tradeoffs In Web App Development Platforms

Web programming languages each have their own security strengths and weaknesses -- website security tied more to the app itself, according to a new report
Don't blame insecure Web applications on the Web development platform: There's no one programming language more secure than another, according to a new report published today by WhiteHat Security.

WhiteHat looked at the number of vulnerabilities, their frequency, and how quickly they get fixed, among the main Web development platforms -- Microsoft .NET (ASPX), Struts (DO), PHP, Cold Fusion (CFM), Perl (PL), and Java (JSP). "As far as what it takes to make a secure Website, the platform doesn't really matter," says Jeremiah Grossman, founder and CTO of WhiteHat.

It's more about the developer and the organization's commitment to secure app development than it is the underlying development tool, he says. "Some organizations want to be secure and their developers follow suit, and others don't."

The data was gathered from more than 300 organizations that are WhiteHat clients, encompassing 1,659 websites, from Jan. 1, 2006, through March 25 of this year. Perl tallied the most vulnerabilities during that period, with 44.8 percent per website, followed by Cold Fusion, with 34 percent. Struts DO carried vulnerabilities in 20 percent of the sites, and Microsoft's .NET ASPX, 19 percent.

WhiteHat found that Perl, Cold Fusion, JSP, and PHP were most likely to contain at least one serious vulnerability -- 80 percent of the time, according to the report. Strut has the lowest number of existing vulnerabilities in a website, at 5.5 percent, followed by Microsoft's .NET at 6.2 percent.

Perl didn't fare as well as other tools overall: It has the largest number of vulnerabilities in websites to date, with 11.8 percent, and more than eight in 10 Perl-based websites harbor cross-site scripting (XSS) bugs versus half for .NET, which was the lowest rate. "Perl did not look very good" in the statistics, Grossman says. "But with Perl and PHP, when issues were found, they were fixed quickly. And the ones that had less vulnerabilities to begin with, .NET and Java, also had the longest fix times. That is a weird dichotomy."

Cold Fusion had the most SQL injection flaws -- nearly 40 percent of the websites had them -- and Struts and JSP had the lowest, with 14 percent and 15 percent, respectively, according to the report.

But many websites contain a mix of Web development platforms, anyway, Grossman says. "It's not pure .NET," for example, he says. WhiteHat plans to compare the difference in security between websites built on a single Web development language versus ones that use a mix, he says.

"My theory is that the sites with a singular technology are likely more secure, with less vulnerabilities, than ones with a mixed collection because those are tougher to manage," Grossman says. If there's just one platform to manage on a website, it's likely easier to secure, as well, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Haris Pylarinos, Founder and CEO, Hack The Box
Robert Lemos, Contributing Writer, Dark Reading