A survey of millions of applications submitted for analysis showed that nearly 75 percent have security flaws, that applications become less secure as they age, and that of the top three programming languages used in business, JavaScript applications tend to have fewer issues and faster remediation than those written in Java or .NET.
The State of application security report from application security company Veracode is based on analysis scans of code submitted for testing. There are three main types of scan: dynamic analysis which looks at runtime behavior, statis analysis which inspects the code, and composition analysis which checks third-party libraries against a database of known flaws.
The three types of analysis reveal different flaws. Top issues found by static analysis are CRLF injection (when an unexpected line terminator is not removed from input), cryptographic issues, and information leakage. Top in dynamic analysis is server misconfiguration, insecure dependencies, and again information leakage. Composition analysis puts information leakage top, followed by insufficient input validation, and encapsulation, which is where applications “fail to separate or differentiate critical data or functionality within components.”
SQL injection remains a common problem, with over 22 percent of statically analysed applications vulnerable and 32% of composition analyses, as does cross-site scripting, 38.5 percent in static analysis and 44.7% in composition analysis.
In most general language surveys JavaScript comes top for popularity, but that is not the case here. According to the researchers this is because it is weighted towards business applications. 44.2 percent of applications in the survey use Java, 26.4 percent .NET, 14.3 percent JavaScript, and others such as Python, C++ and PHP amount to 15.1 percent combined.
Another by-the-way nugget of information is that “over 90 percent of Java applications are third-party code.” Much of modern application development is about assembling and controlling components and libraries, rather than writing fresh code.
JavaScript’s lead over the other two languages focused on here is substantial. According to one chart, 82.2 percent of .NET applications suffer from flaws, compared to 77.7 percent of Java and 55.8 percent of JavaScript creations. Further, if the flaws are narrowed to just those which are high severity, only 9.5 percent of JavaScript applications are vulnerable, compared to 19.9 percent Java and 21.9 percent .NET. JavaScript flaws are also fixed more quickly, with half their flaws fixed in 116 days on average, versus 158 days for .NET and 243 days for Java.
Applications evolve over time and according to this survey, “the average application grows about 40 percent per year, regardless of its original size,” though growth slows down after 5 years or so. Unfortunately this also means new flaws may be introduced. According to the survey, typically fewer flaws are introduced in the first 18 months of an application’s life, but after that the rate creeps up. “The percentage of applications with flaws climbs as applications age,” say the researchers, stating that fewer than half of apps less than one year old have flaws, but by the time they are four or five years old, two-thirds have flaws, and at 10 years old, 90 percent of them.
Exactly why these trends exist is open to speculation. Perhaps newer applications are more likely to have a company’s top software engineers, for example. Recommendations in the report – which comes from a company selling application security tools – include greater automation and developer training, and clarity over who is responsible for each application.