In terms of IT security, we can apply the principle of the weakest article. It’s crucial when determining the overall security level of your website or app. Even at first glance, banal problems can ultimately cause fatal consequences. That’s why we’re starting with the IT security series, where we’ll break down the weaknesses of every major part of your online projects.
The most used programming languages
We’ll start from the scratch – with the programming language. This is an essential part of the creation of each computer program or website. To begin with, we bring you a list of the most commonly used programming languages in the world. GitHub put it in his annual report called Octovers:
The order of use of the different languages varies from source to source, but we are considered to be the guideline in GitHub. In fact, it really reflects which programming languages people use most often, and not what they are favorite for. GitHub currently employs more than 24 million programmers from more than 200 countries worldwide.
UpGuard also offers a list of the most widely used programming languages. It evaluated the first three most commonly used languages:
- .NET (28,1 %)
- Java (24,9 %)
- ASP (15,9 %)
In other positions, ColdFusion, Perl, and PHP are ranked without further specification.
Security and programming languages – they might work different than you think
If we look at programming languages from the security point of view, we find out that the situation is a bit different than we might have thought. It does not even apply that the most used programming language is also the safest. It has a logical justification. The programming languages that are most commonly used are potentially the most attractive for black-hat hackers. The security of these programming languages also depends on their developers who can, but do not have to care about development of their languages and their constant improvement.
A preview of the security of the programming languages itself is provided by a detailed report by Veracode, which analyzed 300,000 different code uses in programs and websites that were created from mid-2015 to the end of 2016.
When comparing the first 5 most popular programming languages and their security, we will find some interesting facts. Ruby is considered the safest of the TOP 5 programming languages (if we do not take into account Python, which is missing in Veracode statistics). On the contrary, the most vulnerable is PHP, which contains up to 60.6 bugs in 1 MB on average.
UpGuard has a different opinion about the security of programming languages – it offers a slightly different ranking. For the objectivity of the information, we bring it down to compare data based on the statistics of two different companies.
- NET (31 %)
- Java (28 %)
- ASP (15 %)
- PHP (2 %)
Java as a stand-alone category from a security perspective
The third most widely used programming language from the Veracode report – Java deserves special attention. According to the 2017 Veracode statistics, Java applications are among those that most often contain a bug or a security vulnerability. Up to 87.6% of Java applications contain at least 1 security vulnerability due to component failure.
The report pointed out that the main reason for the presence of so many security vulnerabilities in Java applications is that companies do not want to update individual components. Only 28% of companies are interested in what components their Java applications consist of. Only a certain percentage of these companies then updates the components.
OWASP IT Security Testing
One of the types of online application and website security testing is OWASP organization testing. It covers various IT security testing methodologies, one of which is the so-called pass rate test. It determines whether an application or online system would pass the strict OWASP’s security conditions without the need of adjustments. On average, only 34.1% of tested applications will pass this test, and one of the main criteria of their failure is the poor quality of the code. On average up to 34% of all tested applications across all industries suffer from inadequate code quality of code.
The code security situation in Central Europe might be a bit different
We asked Nethemba security testers about the security of programming languages in Slovakia and in the Czech Republic. They have confirmed that most security vulnerabilities appear in PHP applications.
Regarding the security of the entire industry in Slovakia and the Czech Republic, applications in the banking and financial sector are considered the most secure. All other sectors are lagging behind. (We plan to look at a more specific article on the subject of coding security and programming languages in the Czech Republic and Slovakia).
Think of security when choosing the programming language
One of the most critical security issues for your application, online service, or website is a badly crafted code that in most cases contains a security vulnerability. There are several reasons, but one of the most critical issues is that programmers write the code so that it works first, code security is only minor.
Often, the IT security specialist is also missing in the programming team. As a result, when choosing a suitable language for programming, developers do not think much of their security or the security vulnerabilities that are typical of that language.
Therefore, educate your employees, especially programmers, to look at the security of the individual components they use, and to focus on up-to-date versions of the programs and components they use. Let your site or app test before you publish it and focus on removing its security vulnerabilities.
Revealing security vulnerabilities that you can remove before publishing your service or product will cost you financially much less than repair of the damage after a black-hat hacker attack. On average, damages for cyber attacks will cost the company in Europe at € 86,000, while using bug bounty programs you can test your system for fraction of that amount. Not to mention how much may leakage cost you after May 2018 when the new data protection legislation known as the GDPR will come to effect.