GCN has posted a story on the most secure web language based on data from WhiteHat Security in its 2014 Website Security Statistics Report. WhiteHat performed vulnerability assessments of more than 30,000 websites using .NET, Java, ASP, PHP, ColdFusion, and Perl.
I was pleased to see the summary that "Risk exposure does not vary widely between languages ... In fact, there was no statistical difference, in terms of the average number of vulnerabilities per slot, between any of the languages in this study." While I have not done the type of analysis performed here, instinctively I agree, the quality of the code written in any specific language has far more of an impact on security than does the language itself.
That said, a couple of interesting ColdFusion specific notes:
- The research found far fewer instances of ColdFusion vulnerabilities than it did Java or ASP.NET, which makes perfect sense as there are far fewer ColdFusion servers and applications. That's definitely a Duh! finding.
- When looking at "vulnerabilities per slot" (I'd like to better understand how that is defined and measured) ColdFusion ranked best, almost on par with Perl.
- But when looking at SQL injection vulnerabilities, ColdFusion ranked worst. I'll go out on a limb here and suggest that this is probably a direct result of how easy ColdFusion makes database integration, and that simplicity often means that developers cut corners (or that less experienced developers end up writing production code).
- But most important to me was the finding "that languages that have been around for decades were actually able to keep pace with more modern languages when it came to remediation of some vulnerability classes". As an example, "SQL injection had a 96 percent remediation rate in ColdFusion applications, and every single abuse of functionality vulnerability found in ColdFusion sites was remediated."
Hat tip: Randy Burton.