ISSA Los Angeles Security Summit

Whenever beginning a new software project the inevitable choice must be made: what programming language(s) or development framework(s) should be used? While it would be nice to select “the most secure” software stack at the start of a project, the vast majority of the time this decision is made for completely different and perhaps even more important reasons. More than likely the software stack decision is basedupon parameters such as: what the development teams are most familiar with; what the current market momentum is around the latest and greatest technology; what will generate code the fastest and maintained
the cheapest; the available talent pool as the project grows; and of course, whatever gets the job done. Everything is considered ahead of security.
 
In this presentation we put this area of application security understanding to the test by measuring how various Web programming languages and development frameworks actually perform ‹ ON THE WEB! To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
 
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer at least some of these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas that are found to be lacking; and, developers can increase their 
familiarity with the strength and weaknesses of their technology stack.