Who's Had More Vulns Redux- PHP, Java, ColdFusion, ROR, or .NET?

Who's Had More Vulns Redux- PHP, Java, ColdFusion, ROR, or .NET?

Posted by Brad Wood
Aug 31, 2016 15:33:00 UTC

Adobe released some new security updates for ColdFusion 10 and 11 yesterday.  This brought with it the usual flurry of twitter activity from security-minded accounts who pounce on the opportunity to retweet every vuln report on the internet.  It's too bad no one takes this much effort to focus on positive news from other languages.  Among the landslide of tweets were also a few people poking at ColdFusion such as this person who went as far as to say businesses should scrap all use of Adobe products in general due to the number of vulnerabilities.

This prompted me to revisit a blog post I did almost 3 years ago that collected the number of CVEs (Common Vulnerabilities and Exposures) in several popular web technologies including ColdFusion.  In that post I compared Java, PHP, Tomcat, and ColdFusion CVEs reported on www.cvedetails.com since the year 2000 and found ColdFusion to have far fewer reported vulns per year than any of the other technologies.  In fact, Java and PHP really blew the doors off the chart with the number of vulnerabilities they've reported.  The overall point was, every major platform has vulns and the very reports of them show a company that is actively working to improve the platform.  Also, no one ever seems to make the same arguments about PHP or Java every time a new vuln comes out about how they're "so insecure" and people should stop using them.  

Since my last post stopped at 2014, I pulled up new data for reported CVEs and this time just did the previous 10 years-- so 2006-2016.  I also added in Ruby on Rails and .NET.  I realize they are really frameworks and not languages, but ROR is sort of synonymous with Ruby and the two projects just represent similar high-profile platforms that people have been using on the web for the last 10 years.  Note, I also grabbed the last 3 years of data from Oracle JRE and appended it on the previous data from the Sun JRE.  The vendor changed, but it's the same product.

Click to enlarge

Ok, so it's a bit more jumbled in there with more plots, and PHP/Java's giant spikes don't help since they blow the Y axis out of proportion.  Let's cover the main points:

  • Java reeled itself back in after it's little CVE bender in 2013.  I'm curious if that's related to Oracle taking the reigns
  • PHP and Java are still the kings of vulnerabilities by far, with almost one new one every week! (Java averaged 42/yr and PHP 58/yr)
  • Overall, the technologies I reported on have an average of 22 new CVEs every year.
  • ColdFusion has averaged 7 CVEs a year which is pretty good by comparison.  I certainly want CF to be above (below??) average. 
  • The only other tech stack in this list who did as good as CF was ROR.  They also averaged only 7 CVEs a year.
  • I don't think this data supports any notion of ColdFusion being a statistically less-secure technology.  
  • Note, 2016's data is not complete.  It reflects what's reported to date.  

And here's a table with some of the raw numbers:

  CF PHP Tomcat Java ROR .NET
2006 7 44 1 11 2 4
2007 6 116 17 20 2 4
2008 5 21 9 51 2 3
2009 5 22 8 44 4 10
2010 6 35 8 54 1 4
2011 14 37 14 57 12 6
2012 5 22 15 47 10 13
2013 13 13 4 131 18 17
2014 5 33 13 115 12 10
2015 4 28 3 80 2 20
2016 4 89 9 29 8 7
Total 74 460 101 639 73 98
Average 7 42 9 58 7 9


There are a list of 'disclaimers' and even some good comments on my original post from 2014.  I don't feel like re-stating them here, so you can click here and read them.  And finally, here's link to all the original data:




Great research Brad. Way to set the record straight!

Site Updates

Entry Comments

Entries Search