12/8/2015 8:07:10 AM
86 Percent of PHP Based Applications Contain at Least One Cross-Site Scripting Vulnerability
App Developer Magazine

86 Percent of PHP Based Applications Contain at Least One Cross-Site Scripting Vulnerability

Stuart Parkerson Stuart Parkerson in HTML5 Tuesday, December 8, 2015

Veracode is reporting that its analytics show 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. The analysis is part of a supplement to Veracode’s “2015 State of Software Security: Focus on Application Development”, which is a report based on benchmarking analytics from its cloud-based platform. 

The report also indicates that four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode failed at least one of the OWASP Top 10 (an industry-standard security benchmark).

Veracode reports that these application vulnerability trends have also been seen across a wider family of web scripting languages, as applications written in Classic ASP and ColdFusion have are twice as likely to contain these flaws compared to more modern languages such as .NET and Java.

The 2015 report captures data collected over the past 18 months from more than 200,000 automated assessments performed for Veracode’s customers across a range of industries and geographies. Other findings provided in the report include 

- Design of the language matters for security: Some languages are designed to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely those vulnerabilities dealing with memory allocation (such as buffer overflows). Another example is the default behaviors of some ASP.NET controls, which avoid common issues related to Cross-Site Scripting.

- Operating environment of the language matters for security: Some vulnerabilities are only relevant in certain execution environments. For example, some categories of information leakage are more severe for mobile, which combines large volumes of personal data with a number of always-on networking capabilities.

- Mobile development project teams need to focus on encryption: Eighty-seven percent of Android apps and 80 percent of iOS apps contained cryptographic issues according to the report. Veracode suggests this indicates that, while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. 

Read more: https://info.veracode.com/state-of-software-securi...

475 Tax Deductions for Businesses and Self-Employed Individuals

Are you paying more taxes than you have to as a developer or freelancer? The IRS is certainly not going to tell you about a deduction you failed to take, and your accountant is not likely to take the time to ask you about every deduction you’re entitled to. As former IRS Commissioner Mark Everson admitted, “If you don’t claim it, you don’t get it.

A hands-on guide to mastering mobile forensics for iOS and Android

Get hands-on experience in performing simple to complex mobile forensics techniques Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums A practical guide to leveraging the power of mobile forensics on popular mobile platforms with lots of tips, tricks, and caveats.

The Latest Nerd Ranch Guide (3rd Edition) to Android Programming

Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.