According to an analysis of over 200,000 applications, PHP is the programming language with the most vulnerabilities, mobile apps suffer from cryptography problems, and developers are more likely to fix errors found with static instead of dynamic analysis.
The report, by Boston-based security firm Veracode, was released this morning and is based on Veracode's assessment of more than a trillion lines of code for customers at large and small companies, commercial software suppliers, and open source projects.
Scripting languages lead in vulnerabilities
Overall, scripting languages like PHP had a much higher incidence of vulnerabilities than Java or .NET, said Chris Wysopal, Veracode's CTO and CISO.
"If you have a choice, don't pick a language like PHP," he said. "Unfortunately, developers aren't picking languages based on how secure they are."
In particular, PHP is commonly used for Web applications written to work with content management systems like WordPress, Joomla and Drupal. These three platforms account for more than 30 percent of all websites, according to W3Techs.
"If I was running a development team and I was stuck with PHP -- the decision was made at some point, and we had to use it -- it would be more important for my developers to get security training and look for vulnerabilities in testing," Wysopal said.
For example, scripting languages have a lower pass rate when it comes to the OWASP Top 10 list for web application vulnerabilities. ColdFusion applications, on average, had just a 17 percent pass rate, putting them at the bottom of the list. PHP came in at 19 percent, and Classic ASP at 21 percent.
By comparison, 27 percent of .NET applications passed OWASP, as did 24 percent of Java applications.
Cross-site scripting was the most common vulnerability for each of the three major scripted languages, with 86 percent of all PHP applications being vulnerable, 87 percent of ColdFusion applications, and 83 percent of Classic ASP.
SQL Injections were also common, with 62 percent of ColdFusion applications having this vulnerability, 56 percent of PHP applications, and 64 percent of Classic ASP applications.
According to Veracode, there are fewer security APIs built into Classic ASP, PHP and ColdFusion compared to .NET and Java. That means, for example, that it is more challenging to write code that is safe from SQL Injections.
"I don't think people realize what a difference the choice of language makes," said Wysopal.
When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said.
Specifically, 87 percent of Android applications and 80 percent of iOS applications had cryptographic issues.
Sign up for CIO Asia eNewsletters.