Over the last 10 years, more than half of all the security bugs that were weaponized were for two application frameworks – Apache Struts and WordPress.

A recent study focused on analyzing all the vulnerabilities disclosed over the past decade resulted in quite an interesting discovery. [RiskSense] According to analysts, around 55% of all security vulnerabilities that have been discovered, weaponized, and exploited during this period were for only two major application frameworks – Apache Struts and WordPress.

The company conducting the study is risk analysis firm RiskSense. Its report also found that the Drupal content management system ranked as third on the list, with Ruby on Rails and Laravel following closely.

Advertisement
Continue reading below

Other concerning findings

When it comes to programming languages, the most vulnerabilities that were weaponized during the same period were found in PHP and Java apps.

The least weaponized bugs were found in Python and JavaScript, although the company estimates that this might change over the coming several years, as the languages are becoming increasingly popular.

They also noted that developers and users alike should keep a close eye on Node.js and Django, which are the two most commonly used application frameworks for JavaScript and Python ecosystems. Nofe.js was discovered to have around 56 vulnerabilities, which is higher than any other framework for JavaScript, while Django has 66, which is the highest for Python, although only one of them was weaponized per framework thus far.

However, while the weaponization itself still remains low, the number of vulnerabilities is quite high, which makes them both potentially dangerous. And it is only a matter of time before hackers start focusing more on them.

On the other hand, Perl and Ruby programming languages started seeing fewer and fewer weaponized vulnerabilities over the decade, as their popularity faded.

Researchers also paid attention to the vulnerability types, noting that cross-site scripting (XSS) bugs were the most common in the early 2010s but were not the most weaponized ones. The ones that were the most weaponized include injection-based flaws, which could allow hackers to inject their own commands into the systems.