Who's Had More Vulns Redux- PHP, Java, ColdFusion, ROR, or .NET?
Adobe released some new security updates for ColdFusion 10 and 11 yesterday. This brought with it the usual flurry of twitter activity from security-minded accounts who pounce on the opportunity to retweet every vuln report on the internet. It's too bad no one takes this much effort to focus on positive news from other languages. Among the landslide of tweets were also a few people poking at ColdFusion such as this person who went as far as to say businesses should scrap all use of Adobe products in general due to the number of vulnerabilities.
What to say about Adobe products? Don’t used in your business. #cybersecurity first. Secure your #IT.Tons of #vulnhttps://t.co/dQzmFkYIBi— Rainer Arencibia (@rainer85ah) August 31, 2016
This prompted me to revisit a blog post I did almost 3 years ago that collected the number of CVEs (Common Vulnerabilities and Exposures) in several popular web technologies including ColdFusion. In that post I compared Java, PHP, Tomcat, and ColdFusion CVEs reported on www.cvedetails.com since the year 2000 and found ColdFusion to have far fewer reported vulns per year than any of the other technologies. In fact, Java and PHP really blew the doors off the chart with the number of vulnerabilities they've reported. The overall point was, every major platform has vulns and the very reports of them show a company that is actively working to improve the platform. Also, no one ever seems to make the same arguments about PHP or Java every time a new vuln comes out about how they're "so insecure" and people should stop using them.
Since my last post stopped at 2014, I pulled up new data for reported CVEs and this time just did the previous 10 years-- so 2006-2016. I also added in Ruby on Rails and .NET. I realize they are really frameworks and not languages, but ROR is sort of synonymous with Ruby and the two projects just represent similar high-profile platforms that people have been using on the web for the last 10 years. Note, I also grabbed the last 3 years of data from Oracle JRE and appended it on the previous data from the Sun JRE. The vendor changed, but it's the same product.
Ok, so it's a bit more jumbled in there with more plots, and PHP/Java's giant spikes don't help since they blow the Y axis out of proportion. Let's cover the main points:
- Java reeled itself back in after it's little CVE bender in 2013. I'm curious if that's related to Oracle taking the reigns
- PHP and Java are still the kings of vulnerabilities by far, with almost one new one every week! (Java averaged 42/yr and PHP 58/yr)
- Overall, the technologies I reported on have an average of 22 new CVEs every year.
- ColdFusion has averaged 7 CVEs a year which is pretty good by comparison. I certainly want CF to be above (below??) average.
- The only other tech stack in this list who did as good as CF was ROR. They also averaged only 7 CVEs a year.
- I don't think this data supports any notion of ColdFusion being a statistically less-secure technology.
- Note, 2016's data is not complete. It reflects what's reported to date.
And here's a table with some of the raw numbers:
There are a list of 'disclaimers' and even some good comments on my original post from 2014. I don't feel like re-stating them here, so you can click here and read them. And finally, here's link to all the original data:
Great research Brad. Way to set the record straight!