a lot of reports have been coming up,
bringing attention to people regarding the vulnerabilities in Drupal and
WordPress. Many hacks have been attributed to hackers exploiting
vulnerabilities in WordPress, and similar claims have been made against
Drupal. However, it has now been found that the main perpetrator is, and
has been all along, the language behind these things, which is PHP.
WORST LANGUAGES
Over
the last 18 months, Veracode has studied more than 50,000 applications
in popular languages like PHP, Classic ASP, .NET, C and C++, Java,
JavaScript, iOS, Android, Ruby, ColdFusion, and COBOL. The report
generated based on this analysis reveals troubling findings regarding
some languages. For instance, 86% of applications that were written in
PHP showed, at least, one XSS vulnerability.
Moreover,
56% of those showed, at least, one SQL injection bug. SQL injection bug
results are even more worrying for Classic ASP and ColdFusion users,
for 64% of the applications written in these two languages also
revealed, at least, one SQL injection bug. Similar findings from OWASP
test results show that ColdFusion, PHP, and Classic ASP, in that order,
are the worst languages when it comes to software security.
Veracode’s
founder and CTO Chris Wysopal went on to say that the reason why SQL
injection attacks keep on happening is the use of scripting languages
like PHP. Such languages are difficult to program securely. According to
him, scripting languages are the root cause of so many XSS, buffer
overflow and SQL injection attacks taking place these days, and the data
revealed by Veracode’s report (PDF) based on cloud-based data analysis
and application studies simply corroborates his belief.
REASONS FOR PROBLEMS
The
main reasons cited for the vulnerabilities highlighted in these
languages are the way they are used and the way languages like PHP,
Classic ASP and ColdFusion are designed. These languages lack the
built-in functions and security APIs that come along with better
languages like .NET and Java, which is the reason why these scripting
languages are more susceptible to XSS, buffer overflows and SQL
injection attacks.
SQL injection
attacks occur when parameter binding is not done in SQL queries, and PHP
does not help at all in parameter binding, thus making it vulnerable to
SQL injection attacks.
Since
languages like PHP, ColdFusion and Classic ASP are primarily used by web
developers who have recently ventured into the field of coding and are
mainly concerned with making their website look better designed, they do
not have the security features offered by languages like .NET and Java.
Many times, it is not even the developer’s fault, for he or she has to
work with whatever platform his or her employing firm provides them
with.
MOBILE LANGUAGES
Veracode’s
report, as mentioned earlier, also provided results on Android and iOS
apps. When you look to compare the two, there is not a whole lot of
difference in their security aspects. 87% Android apps were found to
have security bugs while 81% of iOS apps fared similarly. The main
reasons for so many bugs being found in these languages are the fact
that proper checking of SSL certificates is not performed and out-dated
cryptography algorithms are used. Such practises result in security
bugs.
CONCLUSION
The
worst three languages that generate the most software security bugs are
ColdFusion, PHP, and Classic ASP. These languages fared worst in the
Veracode analysed as well as OWASP tests, revealing that they have the
most security bugs of all other languages.
With
more than 70% of content management is done using systems like Drupal,
Joomla, and WordPress, all of which are PHP-based, the report should
open the eyes of companies using such content management systems and
scripting languages.
No comments:
Post a Comment