State of Software Security: Vulnerability Hall of Fame
Using data from more than 10 years of our State of Software Security report, we’ve compiled a list of the worst flaw offenders to keep an eye on and the languages they impact most.
Read Our ReportOverview
Volume 11 of our State of Software Security report uncovered some alarming data, including that more than 76 percent of all applications have at least one security flaw. Some are riskier than others, but all of these vulnerabilities are preventable with the right knowledge, tools, and processes in place. Here’s what you need to know about the 10 software vulnerabilities that have reigned supreme over the years so you can stay one step ahead of them.
SQL Injection
28% of applications are vulnerable to SQL injection exploits, which permit threat actors to gain unauthorized access to back-end databases. This access allows attackers to alter or delete data in the database and may result in expensive or time-consuming cleanup.
Languages to watch: .Net (12.7%)
The fix: Avoid introducing SQL vulnerabilities by using parameterized queries and mitigate the impact of SQL injection exploits by enforcing least privilege on the database.
Encapsulation
29% of applications are vulnerable to encapsulation exploits. Encapsulation vulnerabilities allow data to escape when code crosses between components; this can happen with issues like deserialization of untrusted data or trust boundary violations.
Languages to watch: .Net (12%), Java (18%), PHP (48%)
The fix: Wrap private data in classes to keep details hidden, correctly set your security headers, and don’t trust serialized inputs from outside of the application.
Cross-Site Scripting
47% of applications are vulnerable to Cross-Site Scripting (XSS) flaws, which give attackers the ability to inject client-side scripts into applications and bypass security controls. With this access, threat actors can view and steal sensitive data, modify files, and even hijack a user’s session or computer.
Languages to watch: Python (22%), .Net (24%), Java (25%), JavaScript (32%), PHP (75%)
The fix: Implement input sanitization and encode output to protect your code and your applications against XSS attacks.
Directory Traversal
48% of applications have a directory traversal flaw. This vulnerability could allow attackers to send modified URLs to the web server, which can permit unauthorized access to restricted files and directories.
Languages to watch: JavaScript (12%), Python (21%), Java (30%), .Net (35%), C++ (42%), PHP (65%)
The fix: Implement filters to block common commands and escape codes used by attackers.
Insufficient Input Validation
48% of applications are vulnerable to insufficient input validation flaws, which include several vulnerabilities that permit malformed input. These flaws can cause security issues like open redirects to steal data, hijacked sessions, and the execution of malicious code.
Languages to watch: Python (8%), Java (25%), JavaScript (26%), .Net (49%)
The fix: Use allow lists to define valid input data and assume that all data entered by users is untrusted.
Credentials Management
48% of applications contain credentials management flaws. Common errors include hard-coding passwords or plaintext files, which can allow attackers to bypass access controls and assume the privileges of users or administrators.
Languages to watch: Python (7%), .Net (20%), Java (27%), JavaScript (30%), PHP (44%)
The fix: Protect passwords from abuse by implementing custom or tailored authentication and session management mechanisms.
Code Quality
60% of applications have vulnerabilities related to code quality, which include issues like leftover debug code, using the wrong operator when comparing strings, and improper resource shutdown or release. These issues can lead to the disclosure of sensitive data or even denial-of-service attacks.
Languages to watch: JavaScript (8%), C++ (37%), .Net (54%), Java (54%), PHP (40%)
The fix: Boost developer knowledge through eLearning and hands-on training to improve secure coding practices.
Cryptographic Issues
64% of applications have cryptographic flaws like broken crypto algorithms, improperly validated certificates, and inadequate encryption strength. Improperly stored data can lead to information leakage that is costly and damaging to your brand.
Languages to watch: JavaScript (21%), Python (35%), C++ (40%), Java (43%), .Net (46%), PHP (72%)
The fix: Consult experts when it comes to implementing secure methods of encryption that will keep your data safe.
CRLF Injection
65% of applications are vulnerable to CRLF injection exploits. This flaw enables Carriage Return Line Feed (CRLF) injection attacks through issues like improper neutralization of CRLF in HTTP headers and improper output neutralization for logs. It allows an attacker to modify application data, alter websites entirely, hijack browser sessions, and more.
Languages to watch: Python (16%), .Net (25%), JavaScript (29%), Java (64%)
The fix: Do not trust user input. Properly encode output in HTTP headers or log entries that are otherwise visible to administrators and users.
Information Leakage
66% of applications are vulnerable to information leakage, which can lead to exposure of sensitive data about the application, user, or environment. Attackers can then leverage that critical data in future exploits against the application.
Languages to watch: Python (8%), JavaScript (23%), Java (52%), .Net (63%), PHP (63%)
The fix: Implement tools that can scan your code for vulnerabilities to properly detect and fix APIs that leak information.
