Programming language security: These are the worst bugs for each top language

C++ and PHP have far more high-severity security flaws than programming languages like JavaScript and Python.
Written by Liam Tung, Contributing Writer

If you're a developer writing code in .NET, C++, Java, JavaScript, PHP or Python, new research highlights the main security vulnerabilities you need to watch out for. 

Static code analysis security firm Veracode has released numbers on the types of vulnerabilities that are most prevalent in 130,000 apps it scanned for security issues. 

It has looked at bug trends across apps written in .NET, C++, Java, JavaScript, PHP or Python. The numbers are compiled in Veracode's State of Software Security volume 11 report

SEE: Virtual hiring tips for job seekers and recruiters (free PDF) (TechRepublic)

For JavaScript, the most popular language for front-end development, Veracode found that 31.5% of these apps have at least one cross-site scripting (XSS) flaw, while it found 74.6% of apps written in PHP have at least one XSS flaw. Additionally, 71% of PHP apps have cryptographic issues. 

The main issue for applications written in .NET is information leakage, found in 62.8% of .NET apps, while for C++ error handling is the top issue, found in 66.5% of these apps. 

And for Java apps, the top flaw found is Carriage Return or Line Feed or CRLF injection, present in 64.4% of them. Finally, the top security problem for Python apps, present in 35% of them, relates to cryptography.  

There is also a major difference between the severity of flaws found in apps in each language. Veracode found that 59% of apps written in C++ and 52% of apps written in PHP have high-severity flaws. However, it found only 9.6% of apps written in JavaScript have high-severity flaws. The high-severity flaw figure for Java is 24%.  

Veracode chief research officer Chris Eng explained to ZDNet why some of these trends in vulnerabilities in apps written in different languages are occurring and how to ensure they don't become an expensive headache to fix.  

"When we look at the overall numbers, as an industry we haven't eradicated any category of flaw over the past 10 years," says Eng. 

"Nothing has completely gone away. A lot of things are fluctuating but when you look at the averages, it tends to more reflect the change in language choice and language popularity more than anything else.

"We see buffer overflows that are common in C++ are trending down, not so much because we've gotten better as developers at reducing those issues but because C++ is becoming less prevalent." 

On the other hand, the issues that affect JavaScript and Python are creeping up a bit because JavaScript is so popular right now, notes Eng. Java and .NET remain popular across the enterprise.

PHP remains one of the most popular scripting languages for web application development, but Eng says the higher number of vulnerabilities in PHP code is because the language provides so many unsafe primitives and a lot of ways to do things wrong.

".NET was one of the first ones to make it a little harder to shoot yourself in the foot," explains Eng. 

"You have safer defaults around a lot of the APIs and you see it's a lot harder to make a cross-site scripting mistake or a SQL injection mistake in .NET than it is in PHP, where it will be default – unless you happen to be using one of these more modern frameworks that might provide more protections for you – there's just a lot of ways you can mess up."

SEE: Programming languages: Microsoft TypeScript leaps ahead of C#, PHP and C++ on GitHub

While Veracode found far fewer flaws in the JavaScript apps it analyzed, the vast npm ecosystem of open-source libraries for JavaScript and node.js is a potential weak spot, despite JavaScript's safer defaults. 

"Even if you were to go and fix all the vulnerabilities you've coded yourself, you still have a pretty wide variety of third-party libraries," says Eng. 

"Patching is really not as good as you would hope it would be. The trend is that developers download the latest version of the library at the time they need it and then they never update it again, unless something functionality-wise breaks."

How should engineering and product teams keep the hassle and cost of patching key applications down? Eng's advice is to stay up to date and be aware of how much tech or security debt has built up in an application over time. At some point, the app will need to be fixed or patched, and that includes language updates and patches to key libraries. 

"If I'm version on 4.5 and version 4.6 comes out, I can apply that patch with very little chance of anything breaking functionality-wise. No open-source library is coming to make a major change to the library in a minor version. Now if you're on version 2 and then you have to upgrade to version 4.6, there's gonna be a lot of pain," says Eng.   

This particular issue about updating libraries could be bigger for JavaScript via the huge npm ecosystem, but there are also large ecosystems around Java with Maven and Python with PyPI. 

Eng says the average JavaScript application has about 400 dependencies. If you go up to the 90th percentile of JavaScript applications, these can have 1,000 or 2,000 dependencies. 

SEE: Lightning does strike twice: If you get hacked once, you'll probably be attacked again within a year

Application security firm Snyk recently explained to ZDNet how most security bugs affecting JavaScript, Ruby, Java, PHP and Python are due to indirect dependencies of primary components loaded inside a project.    

Then there are some very popular JavaScript libraries that are being used by 80% to 90% of all JavaScript applications out there.

"Any time there's a vulnerability in one of these packages, you inherit that risk. And it's not just security risk," says Eng.  

He points to the case of the left-pad JavaScript library that a developer removed from npm in 2016 following a dispute

"It disappears off GitHub and suddenly two-thirds of the internet breaks because they were depending on this four-line library to determine whether a number was left-padded with zeros."


Veracode's numbers show by language the types of vulnerabilities most prevalent in 130,000 apps it scanned.  

Image: Veracode

More on programming languages

  • Programming language Python: First version released to run natively on Apple M1
  • JavaScript at 25: The programming language that makes the world go round
  • Programming languages: Python rules as Java declines  
  • Programming languages: Microsoft TypeScript leaps ahead of C#, PHP and C++ on GitHub  
  • Programming language PHP 8 is out: This new JIT compiler points to better performance  
  • Amazon: We're hiring software engineers who know programming language Rust  
  • Programming language Python's popularity: Ahead of Java for first time but still trailing C  
  • Linux Foundation: We'll host Mozilla's Rust programming language-based Servo web engine  
  • 2020's fastest-rising tech jobs? Programming language PHP leads the way  
  • Programming language popularity: JavaScript leads – 5 million new developers since 2017  
  • Programming language Python is a big hit for machine learning. But now it needs to change  
  • Is Julia the next big programming language? MIT thinks so, as version 1.0 lands TechRepublic  
  • Mozilla's radical open-source move helped rewrite rules of tech CNET
  • Editorial standards