More than three-quarters of applications written in Java and .NET have at least one vulnerability from the OWASP Top 10, a list of software weaknesses that developers typically use as a baseline for application security.

That’s according to software-testing firm Veracode, which found in an analysis of nearly 760,000 applications that about one in five applications using those two programming ecosystems had at least one high-severity or critical-severity vulnerability.

Overall, the average application had a 27% chance to have at least one vulnerability introduced every month, with poorly written apps and infrequently scanned apps likely to be more flawed, while applications with a longer history of security processes and being written by well-trained developers less likely to introduce new flaws, the data showed.

The analysis highlights the importance of integrating security into the development pipeline, says Tim Jarrett, vice president of strategic product management at Veracode.

“The data consistently shows that if you build a habit of security into your process, you have a better outcome, both in terms of fixing overall flaws, and … you also slow the flood of stuff coming in, and that makes a big difference,” he says.

Meanwhile, software companies and development teams continue to struggle to eliminate defects and vulnerabilities from application code. While developers and open source projects are fixing software flaws more quickly, the half-life of the average vulnerability continues to be measured in months, not days or weeks, according to Veracode’s “State of Software Security” report, published on Jan. 11. 

For example, Java and .NET applications, which accounted for 71% of total applications analyzed by the study, saw half of flaws still impacting the applications after 243 days and 158 days, respectively.

Half-life of vulnerabilities by programming language
Source: Veracode’s “State of Software Security” report

Application bloat and age both had a significant negative impact on their security. The average application accumulated about 40% more code and is more likely to have vulnerabilities. About 54% of two-year old applications have flaws, while 69% of five-year-old applications flaws, the analysis found.

JavaScript’s Surprising Security

Surprisingly, applications written in JavaScript or using one of the JavaScript frameworks tended to fare better in vulnerability scans. While about 80% of Java and .NET applications had a vulnerability, only 56% of JavaScript applications did. And while about 20% of Java and .NET applications had a high-severity vulnerability, less than 10% of JavaScript applications did.

JavaScript frameworks are newer, have more security, and have the benefits of an open source ecosystem, from which Java has only relatively recently benefited, Jarret says.

“JavaScript is a newer language, so applications written in it [are] newer, and there is a correlation we have established in previous reports between the age of the application and flaw remediation time,” he says. “A lot of the tooling for JavaScript [is] mature and it’s a well supported language.”

Moreover, where a vulnerability in a Java application is a first-party problem — leaving the developer to fix the issues — in JavaScript and the Node.js framework, vulnerabilities are often a third-party issue, because the vulnerability has occurred in a component on which the software depends.

“The way that you fix a security problem in a Java application is still largely [where] you make a change to a class file and you compile it,” he says. “Where in a JavaScript application, it[‘s] more of a package management problem. And that is a different thing for a developer to learn, which may be easier.”

New Programming Languages Languish

The report’s data also highlights the difference between the programming languages that developers are learning and those language actually used in the majority of enterprises. The top languages and ecosystems — Java, .NET, and JavaScript — seen by Veracode are not developers’ choice of programming technology.

While JavaScript and JS-based frameworks — such as Node.js, React.js, and Angular — dominate the lists of developer-preferred technology, Java is one of the least liked programming languages, with 54% of respondents dreading the language, compared with 46% who loved it, according to Stack Overflow’s 2022 Developer Survey

Yet Java dominated the share of applications scanned by Veracode clients (44%) compared with 14% for JavaScript. 

In addition, the most loved programming language, Rust, does not even show up in Veracode’s data, while developers’ No. 6, Python, only accounts for less than 4% of scanned applications.

Part of the reason for the disconnect is that established applications are written in established programming languages, says Veracode’s Jarrett.

“You have the full universe of all the code that is out there, and then you have the kind of the foam on the crest of the wave of new development is happening, and that is where you see people picking up Go and Rust and Dart and Flutter,” he says.

Because of the aggregated codebases of applications written in those languages, that situation likely will not change.

“Old applications never die, unfortunately, so there is a lot of critical mass in enterprises with these big Java codebases and .NET codebases,” he says.

Source: www.darkreading.com