Leakage of information is the main challenge for applications written in .NET, found in 62.8% of .NET apps. For C++, the main issue there is error handling, found in 66.5% of the apps.
The main flaw found in Java apps is Carriage Return or Line Feed or CRLF injection, found in 64.4% of them. Lastly, for Python apps, the main security challenge found in 35% of them is linked to cryptography.
The Chief Research Officer of Veracode, Chris Eng explained the reason why the weaknesses in apps written in different languages are happening and how to make sure they don’t become too costly to fix.
‘When we look at the overall numbers, as an industry, we haven’t eradicated any category of flaw over the past 10 years. Nothing has completely gone away. A lot of things are fluctuating but when you look at the averages, it tends to reflect more on the change in language choice and language popularity more than anything else’.
‘We see buffer overflows that are common in C++ are trending down, not so much because we’ve gotten better as developers at reducing those issues, but because C++ is becoming less prevalent’, Eng says.
PHP is one of the most used scripting languages for web application development, but Eng says the higher amount of weaknesses in PHP code is as a result of the language providing so many dangerous primitives and there are plenty ways to do things wrong.
‘.NET was one of the first ones to make it a little harder to shoot yourself in the foot’, explains Eng.
‘You have safer defaults around the APIs and you see it’s a lot harder to make a cross-site scripting mistake or a SQL injection mistake in .NET than it is in PHP, where it will be default― unless you happen to be using one of these more modern frameworks that might provide more protections for you― there’s just a lot of ways you can mess up’.
‘Even if you were to go and fix all the vulnerabilities you’ve coded yourself, you still have a pretty wide variety of third-party libraries’, says Eng.
‘Patching is really not as good as you would hope it would be. The trend is that developers download the latest version of the library at the time they need it and then they never update it again, unless something functionality-wise breaks.’
How can engineering and product teams keep the struggle and expense of patching key applications down? Eng advises to stay up to date and be conscious of how much tech and security debt has been built up in an app over time. At some point, the app will need fixing or patching and that is inclusive of language updates and patches to key libraries.
‘If I’m version on 4.5 and version 4.6 comes out, I can apply that patch with very little chance of anything breaking functionality-wise. No open-source library is coming to make a major change to the library in a minor version. Now, if you’re on version 2 and then you have to upgrade to version 4.6, there’s gonna be a lot of pain’, Eng says.
‘Any time there’s a vulnerability in one of these packages, you inherit that risk. And it’s not just security risk’, Eng says.
‘It disappears off GitHub and suddenly, two-thirds of the internet breaks because they were depending on this four-line library to determine whether a number was left-padded with zeros’.
By Marvellous Iwendi