Looking at web security vulnerabilities from the programming language perspective: A field study

Abstract

This paper presents a field study on web security vulnerabilities from the programming language type system perspective. Security patches reported for a set of 11 widely used web applications written in strongly typed languages (Java, C#, VB.NET) were analyzed in order to understand the fault types that are responsible for the vulnerabilities observed (SQL injection and XSS). The results are analyzed and compared with a similar work on web applications writtenusing a weakly typed language (PHP). This comparison pointsout that some of the types of defects that lead to vulnerabilitiesare programming language independent, while others are strongly related to the language used. Strongly typed languages do reduce the frequency of vulnerabilities, as expected, but there still is a considerable number of vulnerabilities observedin the field. The characterization of those vulnerabilities shows that they are caused by a small number of fault types. This result is relevant to train programmers and code inspectors in the manual detection of such faults, and to improve static codeanalyzers to automatically detect the most frequent vulnerableprogram structures found in the field. © 2009 IEEE.