According to a new report by application security company Veracode, from Massachusetts, applications coded in Java suffer from far fewer vulnerabilities than applications designed in other web scripting languages.
The research paper shows that applications designed in PHP are by far the most likely to suffer from common exploits, with a stonking 86 percent of the apps found to be susceptible to SQLi – the commonplace and easily exploitable web app vulnerability.
Though apps designed in PHP are considered to be the biggest failure – with over a half of those apps also found to suffer from common cross-site scripting holes (another of the most recurring issues determined by the team). In fact, the report demonstrates that mobile apps designed in any of the three scripting languages – PHP, ColdFusion or Classic ASP – are much more likely to suffer from vulnerabilities than those coded using other platforms.
Alarmingly, the research undertaken by Veracode reveals that software designers have completely fumbled the encryption in seven out of eight apps for Android and over three-quarters of apps for iOS. Most of the apps falling prey to one of four standard encryption issues, Veracode found – hardly the result we would have hoped for.
Web apps designed in Microsoft’s legacy Active Service Pages (Classic ASP) also fared poorly, with SQL injection vulnerabilities found in 64 percent of applications. Apps designed in Microsoft’s .NET did much more respectfully, with only 29% found to suffer from SQLi.
Although it did come close (and by far outperformed the majority of other programming languages), Microsoft’s .NET was still beaten by Oracle’s Java – which was found to suffer from the SQLi vulnerability only 21% of the time – a clear winner.
For those that aren’t aware, SQL injection vulnerabilities are no laughing matter. The common problem is believed to have been the culprit behind TalkTalk’s well-publicised hack – in which the British firm lost huge amounts of sensitive customer details – costing the company at least £35 million.
Chris Wysopal, co-founder, and CTO of Veracode says he hopes the report will help software designers to select what programming language they decide to make future aps in,
‘When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them. The data in this report can inform decisions around language selection, developer training and which assessment techniques to use in order to make the inevitable remediation process less onerous. This information can make it easier for security to work with development to increase the maturity of security in the software development lifecycle and produce less risky applications.’
Frustratingly, the research conducted by the Veracode team found that 60 percent of apps did not keep data safe due to insufficient entropy – a flaw which Wysopal explains could have been fixed with just one line of code. For the most part, this demonstrates an overwhelming lack of understanding from app designers on how security works – a problem that could be solved with very little education he says,
‘These things are easy to fix, but they are so pervasive it goes to show that the mobile developers are really ignorant about how to write good crypto code.’
Some other common problems discovered by Veracode were: improperly validated certificates, a failure to delete data in text storage, and incorrect or poorly implemented cryptographic algorithms – all which resulted in exploits.
‘One of the theories we have is, if you are spending on training, you are likely taking application security more seriously. It is either one or the other, or it could be both. Your developers may be more educated or the company as a whole focuses its efforts on risk reduction and not just check-box compliance,’ said Wysopal, who has also pointed out the problematic difference between more established app developers and startups,
‘For every company that is tackling application security there are a bunch of new startups that are not.’