Published on January 18th, 2016 📆 | 3253 Views ⚑


Program Languages That Generate Most Software Security Bugs
You maybe a top notch developer or programmer but do you know which program languages generate most software security bugs?

Recently, a lot of reports have been coming up, bringing attention to people regarding the vulnerabilities in Drupal and WordPress. Many hacks have been attributed to hackers exploiting vulnerabilities in WordPress, and similar claims have been made against Drupal. However, it has now been found that the main perpetrator is, and has been all along, the language behind these things, which is PHP.


Over the last 18 months, Veracode has studied more than 50,000 applications in popular languages like PHP, Classic ASP, .NET, C and C++, Java, JavaScript, iOS, Android, Ruby, ColdFusion, and COBOL. The report generated based on this analysis reveals troubling findings regarding some languages. For instance, 86% of applications that were written in PHP showed, at least, one XSS vulnerability.

[adsense size='1']

Moreover, 56% of those showed, at least, one SQL injection bug. SQL injection bug results are even more worrying for Classic ASP and ColdFusion users, for 64% of the applications written in these two languages also revealed, at least, one SQL injection bug. Similar findings from OWASP test results show that ColdFusion, PHP, and Classic ASP, in that order, are the worst languages when it comes to software security.

Screen Shot 2016-01-18 at 2.43.18 AM
Image Source: Veracode

Veracode’s founder and CTO Chris Wysopal went on to say that the reason why SQL injection attacks keep on happening is the use of scripting languages like PHP. Such languages are difficult to program securely. According to him, scripting languages are the root cause of so many XSS, buffer overflow and SQL injection attacks taking place these days, and the data revealed byVeracode’s report (PDF) based on cloud-based data analysis and application studies simply corroborates his belief.


The main reasons cited for the vulnerabilities highlighted in these languages are the way they are used and the way languages like PHP, Classic ASP and ColdFusion are designed. These languages lack the built-in functions and security APIs that come along with better languages like .NET and Java, which is the reason why these scripting languages are more susceptible to XSS, buffer overflows and SQL injection attacks.

[adsense size='2']

SQL injection attacks occur when parameter binding is not done in SQL queries, and PHP does not help at all in parameter binding, thus making it vulnerable to SQL injection attacks.

Since languages like PHP, ColdFusion and Classic ASP are primarily used by web developers who have recently ventured into the field of coding and are mainly concerned with making their website look better designed, they do not have the security features offered by languages like .NET and Java. Many times, it is not even the developer’s fault, for he or she has to work with whatever platform his or her employing firm provides them with.


Veracode’s report, as mentioned earlier, also provided results on Android and iOS apps. When you look to compare the two, there is not a whole lot of difference in their security aspects. 87% Android apps were found to have security bugs while 81% of iOS apps fared similarly. The main reasons for so many bugs being found in these languages are the fact that proper checking of SSL certificates is not performed and out-dated cryptography algorithms are used. Such practises result in security bugs.


The worst three languages that generate the most software security bugs are ColdFusion, PHP, and Classic ASP. These languages fared worst in the Veracode analysed as well as OWASP tests, revealing that they have the most security bugs of all other languages.

[adsense size='3']

With more than 70% of content management is done using systems like Drupal, Joomla, and WordPress, all of which are PHP-based, the report should open the eyes of companies using such content management systems and scripting languages.

Comments are closed.