A few months ago, we released our 12th annual State of Software Security (SOSS) Report. In our announcement blog, we noted new application development trends (like increased use of microservices and open-source libraries), the positive impact that Veracode Security Labs has on time to remediate security flaws, and the increased use of multiple application security scan types. But what we have yet to dive into is the security flaws we found in different programming languages.
Much like last year, we created an interactive heat map that lists out the most prevalent flaws by language along with an explanation of the flaw, supporting SOSS data, and tips for preventing the flaw.
It’s interesting to see that what might be a common flaw for one language, might not even be of concern for another. Take cross-site scripting (XSS), for example. It’s the most common flaw for PHP – at 77.2 percent – but it doesn’t make the top 10 for C++.
For those of you familiar with last year’s heat map, you’ll notice that the top 10 security flaws for the majority of languages are relatively similar. The most noteworthy change is to the flaws in JavaScript. Last year, XSS was the top flaw. This year, CRLF Injection has taken the number one spot – moving XSS down to the third spot.
But keep in mind that even if a flaw is not as prevalent in your programming language this year as it was last does not mean that you shouldn’t take active steps to prevent it from impacting your code. In other words, flaws are constantly changing. What seems secure today may not be secure tomorrow. You need to be actively (and frequently) scanning both your code as well as third-party code leveraged in your codebase. You should also be training developers in secure code best practices. Consider a tool like Veracode Security Labs. Veracode Security Labs teaches developers the skills and strategies needed to tackle evolving security threats by exploiting and patching real code. Our recent SOSS report found that organizations using Veracode Security Labs cut down the time it takes to fix 50 percent of flaws by an average of 35 percent.
Are you ready to learn about the most prevalent flaws in your programming language and how to stay secure? Check out our security flaw heat map, Beat the Heat.