Veracode has published a new "State of Software Security" report, which confirms what many developers and security experts have long suspected: some programming languages are more susceptible to certain security vulnerabilities than others. For example, C/C++ applications are more likely to have buffer overflow problems. In fact, 48 percent of C/C++ applications submitted to Veracode for analysis had buffer overflow flaws, compared to just 1 percent of .NET applications.
Veracode's Chris Eng explained, "Languages such as C/C++ are not type safe languages.... In C/C++, the programmer has to keep track of the type and space with no help from the language or compiler, allowing flaws to creep into the software. Languages such as .Net are type safe, so you will see a much lower occurrence of buffer overflow flaws."
The report also found that SQL injection flaws varied by programming language. For example, 72 percent of ColdFusions applications had SQL injection vulnerabilities, compared to 31 percent of Java applications and 27 percent of PHP applications.