More than three-quarters of applications written in Java and .NET contain at least one vulnerability from the OWASP Top 10, a list of software vulnerabilities that developers typically use as a baseline for application security. I’m here.
This is according to software testing firm Veracode, which analyzed about 760,000 applications and found that about one-fifth of the applications using these two programming ecosystems had at least one high-severity or critical vulnerability. I found it to be vulnerable.
Overall, the average application is 27% more likely to introduce at least one vulnerability each month, and poorly written apps and infrequently scanned apps are more likely to be flawed. Applications with a long history of security processes and written by well-trained people are likely to have more flaws. Data shows that developers are less likely to introduce new flaws.
The analysis highlights the importance of integrating security into the development pipeline, said Tim Jarrett, vice president of strategic product management at Veracode.
“The data consistently show that building security habits into the process yields better results in terms of fixing overall flaws…and slowing the flood of incoming stuff. It’s different,” he says.
Meanwhile, software companies and development teams continue to struggle to keep flaws and vulnerabilities out of their application code. Developers and open source projects are fixing software flaws more quickly, but Veracode’s “State of Software Security” report, published Jan. 11, found that the average vulnerability half-life is several It continues to be measured in months rather than days or weeks.
For example, in Java and .NET applications, which accounted for 71% of all applications analyzed in this study, half of the defects were still impacting the application after 243 and 158 days respectively.
Both application bloat and age have had a significant negative impact on security. The average application accumulates approximately 40% more code and is more likely to have vulnerabilities. The analysis found that approximately 54% of two-year-old applications have flaws, and 69% of five-year-old applications have flaws.
The amazing security of JavaScript
Surprisingly, applications written in JavaScript or using one of the JavaScript frameworks tended to do well in vulnerability scans. About 80% of Java and .NET applications were vulnerable, but only 56% of JavaScript applications. Also, about 20% of Java and .NET applications had critical vulnerabilities, compared to less than 10% in JavaScript applications.
While JavaScript frameworks are newer, have better security, and benefit from an open source ecosystem, Java is a relatively recent beneficiary, Jarret said.
“Since JavaScript is a new language, applications written in JavaScript [are] There is a correlation established in previous reports between application age and defect remediation time,” he says. [is] A mature and well-supported language. “
Furthermore, if vulnerabilities in Java applications are first-party issues (leaving developers to fix issues), in JavaScript and Node.js frameworks vulnerabilities are third-party issues because the vulnerabilities originated in a component. is often What the software depends on.
“How to fix security problems in Java applications is still largely [where] Make changes to class files and compile,” he says.[‘s] Details of package management issues. That’s another thing developers should learn, and it might be easier that way. “
The decline of new programming languages
The report’s data also highlights the difference between the programming languages developers are learning and the programming languages that the vast majority of companies actually use. The top languages and ecosystems (Java, .NET, and JavaScript) found at Veracode are not the developer’s choice of programming her technology.
While JavaScript and JS-based frameworks such as Node.js, React.js, and Angular dominate the list of developer-preferred technologies, Java is one of the least-preferred programming languages, and the answer 54% of people are afraid of this language. 46% like it, according to his 2022 Developer Survey on Stack Overflow.
Java still dominated the share of applications scanned by the Veracode client (44%) compared to JavaScript’s 14%.
Additionally, the most-loved programming language, Rust, doesn’t even appear in Veracode’s data, while Python, the #6 developer, accounts for less than 4% of applications scanned.
Veracode’s Jarrett said one reason for the broken connections is that established applications are written in established programming languages.
“There’s a whole universe of all the code out there, and there’s kind of a bubble on top of a new wave of development, where you see people picking up Go and Rust and Dart. And flutter ’ he says.
That situation probably won’t change, as the codebases of applications written in these languages are converging.
“Unfortunately, old applications don’t die, so there’s a lot of critical mass in companies with these big Java codebases and .NET codebases,” he says.
