Software Security Report Finds JavaScript Applications Have Fewer Flaws Than Java and .NET

Published on feb 8, 2023

According to Veracode’s State of Software Security report for 2023, there is a 27% chance that security flaws will be introduced into an application within a given month. This chance was found to be affected by a number of factors, including scan frequency, scanning method, developer education, and the language of the application. It was also found in the report that JavaScript applications had fewer flaws and were able to resolve them more quickly than Java and .NET applications.

All applications scanned within the Veracode platform were reviewed in the report. An important finding is that the choice of programming language affects the types, quantities, and resolutions of flaws. Although JavaScript applications still introduce flaws, they are generally resolved more quickly. As a result of this quicker resolution early in an application’s lifecycle, the resolution trend improves over time.

Four out of five Java and .NET applications have at least one flaw, compared to just over half of JavaScript applications. Furthermore, Java and .NET applications have nearly twice as many high-severity issues as JavaScript applications.

The top types of flaws discovered by the different scans within the platform were also discussed. As a result of static analysis, carriage return line feed (CRLF) injection was discovered at 64.8%, followed by cryptographic issues (59.8%) and information leakage (59.3%). According to the results of dynamic analysis scans, server configuration was the most common flaw, accounting for 96.5% of all flaws found.

In the projects analyzed, it was found that applications grow by approximately 40% per year regardless of their size at the beginning. Furthermore, flaw introduction tends to follow application growth, with some exceptions.

There is a 27% chance that a given application will introduce and discover one or more new vulnerabilities within a given month. There were a number of findings in the report that allowed the number to be adjusted upwards or downwards. There was a 2% reduction in this probability for organizations that scanned their applications via APIs. In their view, API scanning tends to be a more mature activity, and it is reasonable to assume that other things, such as access control to the pipeline, are in place.

As a result of developers completing training programs, the probability of new issues was reduced by 1.8%. In contrast, applications with a higher security debt, measured in flaw density per megabyte of code, were 2.2% more likely to introduce defects.

A number of recommendations are provided in the report to assist in reducing the remediation curve as quickly as possible and as early as possible. The recommendations include prioritizing automation, providing developer security training, and establishing an application lifecycle management system. As part of application lifecycle management, the primary objective is to ensure that it is clear who owns the application, for what purpose it serves, and when the application should be retired.