Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment

Veracode’s Supplement to the 2015 State of Software Security: Focus on Application Development report benchmarks application risk profiles by type of programming language

BURLINGTON, Mass. – December 3, 2015 Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, today released a supplement to the 2015 State of Software Security: Focus on Application Development, a report based on benchmarking analytics from its cloud-based platform. The report shows that four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode during the period covered by the report failed at least one of the OWASP Top 10, an industry-standard security benchmark. Given the volume of PHP applications developed for the top three content management systems (CMS) - WordPress, Drupal and Joomla, which represent more than 70 percent[i] of all CMSs in use today – these findings raise concern over potential security vulnerabilities in millions of websites.

Veracode’s analytics show that 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. These vulnerability trends are also seen across the wider family of web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared to more modern languages such as .NET and Java.

Veracode’s cloud-based platform has now assessed more than a trillion lines of code for critical vulnerabilities that can lead to large-scale breaches. The 2015 report captures data collected over the past 18 months from more than 200,000 automated assessments performed for Veracode’s customers across a range of industries and geographies.

As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to SANS, less than 26 percent of organizations have mandated, ongoing secure coding education programs[ii].

Organized by programing language type for simplified benchmarking, Veracode’s supplement to the 2015 State of Software Security Report helps organizations plan for new application development as well as prioritize assessment and remediation activities. The report addresses key questions such as: are some programing languages inherently more secure than others?; and what should design teams look for before starting their projects? Findings include:

  • Design of the language matters for security. Some languages are designed from the ground up to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely vulnerabilities dealing with memory allocation (such as buffer overflows). Similarly, the default behaviors of some ASP.NET controls avoid common issues related to Cross-Site Scripting.
  • Operating environment of the language matters for security. Some vulnerabilities are only relevant in certain execution environments. For instance, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with a plethora of always-on networking capabilities.
  • Mobile development project teams need to focus on encryption. Eighty-seven percent of Android apps and 80 percent of iOS apps contained cryptographic issues. This suggests that while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. Given the rapid adoption of mobile applications in the healthcare industry, this is particularly concerning.

“When organizations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them,” said Chris Wysopal, Veracode CISO and CTO. “The data in this report can inform decisions around language selection, developer training and which assessment techniques to use in order to make the inevitable remediation process less onerous.”

Remediation Impacted by Bringing Security Closer to the Developer

The data also indicates that developer education through eLearning services has a big impact on reducing application-layer risk. Development organizations that leverage Veracode’s eLearning services improve the security of their code by 30 percent compared to those without a formal educational program. Created by world-class security and development experts, these on-demand classes help developers understand secure coding practices and how to remediate vulnerabilities more quickly and efficiently.

Further analytics also show a 28 percent higher fix rate for vulnerabilities found by ‘white box’ or static analysis (SAST) compared to those found by ‘black box’ or dynamic analysis (DAST). While no single assessment technology is sufficient to secure an application, understanding the each assessment technology’s strengths and weaknesses is important when it comes to fixing - not just finding - software vulnerabilities.

The full State of Software Security: Focus on Application Development report can be found at:


The State of Software Security, Focus on Application Development draws on continuously-updated information from Veracode’s cloud-based platform. Unlike with a survey, the data comes from actual code-level analysis of billions of lines of code assessed by Veracode’s platform, across a range of industries and geographies.

This report captures data collected over the past 18 months from over two hundred thousand application scans performed via our cloud-based platform. It summarizes information about applications written in 11 of the most popular programming languages, including Java, .NET, .iOS, Android, C/C++, JavaScript, PHP, ColdFusion, Ruby and COBOL.