A recent report from app security firm Veracode shows that some programming languages that are used to create software for the web are much less secure than others, The report, entitled “State of Software Security: Focus on Application Development“, ranks the languages that are most commonly used to create applications that run on web servers and in web browsers in terms of the number of security flaws found per megabyte of source code. The most vulnerable languages were found to be classic ASP, Cold Fusion, and PHP. Of these, PHP is, by far, the most popular.
The study examined hundreds of thousands web applications over a year and a half. PHP code showed 184 flaws per MB of source code. In comparison, classic ASP had almost ten times as many flaws, which is likely the biggest reason why very few people use classic ASP to develop web applications anymore. The more modern version of ASP, which is called ASP.net, exhibited only 32 flaws per MB of code.
PHP’s woes are troublesome. Over 81% of applications that run on web servers were written in PHP. And yet, PHP is extremely risky. A summary of the data shows that 86% of PHP applications are vulnerable to a cross-site scripting attack, where content on one web page can load content from another website that could be malicious. And 56% of PHP applications can be compromised through an SQL injection attack, the most popular, easiest, and potentially most damaging kind of attack against database-driven websites. In an SQL attack, a hacker enters oddly crafted commands into a web form that force a database to report far more data than it should or even to modify or delete its data. When customer’s charge card or other private information are stolen from a website, SQL injection the most likely vehicle.
So why does anyone still use PHP? First, it’s easy. Whereas it takes some time to learn a framework such as Ruby on Rails or Python-Django, PHP gives programmers very direct access to both the web page the PHP program populates and the database that is supposed to supply the page’s content. And there are hundreds of thousands of PHP applications that websites use to provide their visitors dynamic content, including every site built from a WordPress blog. It would take a really long time and a lot of money to rewrite these. So, PHP lives on and will likely remain the dominant player on the Internet for at least the next decade. Unless there is a concerted effort to add more effective security controls to PHP that are convenient enough for developers to introduce to existing code with little effort and minimal chance of breaking functionality – a very, very tall, if not impossible, order – we’ll continue to experience high-profile data heists for the foreseeable future.