An Informal Static Analysis of Publicly Available Source Code
Codescan Labs scanned over ten million lines of publicly available web software source code: some proprietary, some commercial, and some open source. All the source code tested appeared to have potential security issues warranting further investigation. The overall median was 0.48 potential security issues per thousand lines of code.
Test results varied widely within each programming language; developer skill was clearly a more important factor than choice of language. Legacy ASP source code had the highest median, with 2.5 potential security issues per thousand lines of code. PHP had a lower median number of potential vulnerabilities than .Net.
Early versions of web applications had more potential issues than later versions. Testing showed that applications based on early versions of open source CMS are at risk and should be upgraded to the latest versions. At the same time, many users continue to stick with older versions of applications such as Wordpress and Xoops.