The question is indeed a contentious one, never failing to incite heated arguments from all camps. Many ways exist to cut the cake in this regard—WhiteHat Security took a stab at it in a recent edition of its Website Security Statistics Report, where it analyzed statistics around web programming languages and their comparative strengths in security.

The security firm gave vulnerability assessments of 30,000 websites under its management with the goal of measuring the security performance of their underlying programming languages and frameworks. The following are some key highlights of its findings.

First, a disclaimer: as with any independent study, one must take the scope of the research into consideration before making any judgements regarding a language’s security (or lack thereof). In terms of the WhiteHat Security report, the 30,000 websites used in the study belong to WhiteHat customers and seem to represent the old pantheon of web programming languages: ASP/.NET, Perl, PHP, Java, and ColdFusion. 

These early pioneering languages and frameworks have no doubt been instrumental in making web application development what it is today; that said, newer languages and frameworks like Ruby/Ruby-on-Rails, Python (Django/Flask), and Go have since become popular web programming options.

The following infographic from Codeeval gives an up-to-date representation of the current state of coding languages in 2015. For many, this may feel like a more accurate representation of the programming language landscape. 

Differences in categorization may account for some of the discrepancies between public perception and WhiteHat Security’s study. The above represents coding languages, whereas WhiteHat Security’s report covers web programming languages.  Whether these two are interchangeable is beyond the scope of this discussion, but in WhiteHat Security’s study—favorites like Python, Ruby, and Go were noticeably absent. 

Most Widely Used Languages

In WhiteHat Security’s study, the most popular languages were ASP, ColdFusion, .NET, Java, Perl, PHP, and .NET (a distinction was made between classical ASP and newer .NET technologies). The top three most popular web programming languages are as follows:

  1. .NET (28.1%)
  2. Java (24.9%)
  3. ASP (15.9%)

The percentage of vulnerabilities attributed to each language is also in line with the above rankings. .NET accounted for 31% of vulnerabilities observed, while Java and ASP accounted for 28% and 15%, respectively.

Language adoption also varies widely by industry—for instance, the financial sector is heavy on ASP, while the gaming industry is dominated by PHP. Banking relies heavily on both Java and .NET, while government seems to avoid ColdFusion and Perl when building web applications.  

Languages With Most Vulnerabilities

Based on the report’s findings, .NET takes the prize for the language with the most vulnerabilities, followed by Java and ASP:

  1. NET (31%)
  2. Java (28%)
  3. ASP (15%)
  4. PHP (2%)

WhiteHat Security takes a diplomatic approach to explaining these numbers, noting that many factors may come into play: preponderance of applications written in .NET and Java, complexity/size of websites and applications written in these languages, among others. More importantly, there is no evidence to suggest that .NET or Java is any less secure than the other languages.

Common Vulnerabilities

In terms of vulnerabilities, cross-site scripting (XSS) was the most common across ASP, ColdFusion, Java, Perl, and PHP. XSS attack methods involve injecting client-side scripts—usually written in JavaScript—into web pages viewed by users in order to bypass access controls. For .NET applications, information leakage—or the accidental revealing of sensitive data (e.g, comments, debugging information, error messages)—was the most prominent vulnerability. ColdFusion took the prize for highest incidents of SQL injection vulnerabilities at 11%; indeed, a cursory Google search on “coldfusion sql injection” yields a plethora of results. SQL injection involves the malicious insertion of SQL statements into a database-driven web application to manipulate and/or alter the underlying datastore.

As you may have already suspected, there is no easy way to answer the question of which language is the most secure. An unpopular option might be considered more secure because not many are skilled in using (and abusing) it. On the other hand, an arcane language might make it difficult for developers to build hardened applications based on tried-and-true methods. On an organizational and team level, existing proficiency in a language usually means more secure programming methods are being used. That said, in the case of .NET and Java for instance, popularity and widespread adoption are their Achilles’ Heels.

Rather than praise/disparage each language’s security merits and shortcomings, the study offers some valuable metrics in terms of vulnerabilities per language, detailing what type of attacks are most common to each. While this may not help in determining which language is overall more secure, it can surely give firms ample direction in terms of what security measures need to be taken with their chosen software stack. And though no conclusive answers exist in regards to which language is most secure, the findings nonetheless illustrate the general vulnerability and weak security posture of most web applications. By understanding what they are working with, developers can bake security directly into their development frameworks and include software testing and security risk assessment in all phases of development. To this end, UpGuard offers comprehensive vulnerability assessment and monitoring for web applications, servers, routers, and more.

Ready to see
UpGuard in action?