Building Trust in the Security of Software
of good architectural and coding practice. Note that the security data reported in this section are based on more security weaknesses than listed in ISO / IEC 5055:2021 since these analyses were performed before it was published, and commercial products had implemented its measures.
Table 4-1 presents descriptive statistics for Security weaknesses per thousand lines of code( KLOC) for languages with at least 100 applications in Appmarq. The first row presents the number of applications for each language, and the second row presents the median size of these applications. Java represents two fifths of the Appmarq sample. Applications in most languages averaged from 4 to 6 security weaknesses per KLOC. COBOL had a significantly lower mean number of security weaknesses than the other languages.
Since the COBOL programs in this sample were generally running on mainframes, they typically had lower exposure to the internet and therefore less opportunity for security weaknesses. The 90 th percentile of security weaknesses per KLOC in each language were at least twice the mean. The security weaknesses per KLOC did not correlate with the size of the application in any of the languages.
Security JAVA-EE COBOL NET ABAP
# of apps 994 511 417 135 Median KLOC 119,663 219,015 174,019 412,370 Minimum 0.00 0.00 0.00 0.00 Median 3.46 0.57 2.53 4.57 Mean 4.60 1.83 4.32 5.56 Std. Dev. 4.65 3.60 5.81 7.07 90 th %-tile 10.33 4.98 9.54 8.97
Maximum 38.97 36.77 44.85 74.92 Table 4-1: Descriptive statistics for security weaknesses per KLOC by language.
Data collected at this level allow for interesting analyses of factors that may affect security. For instance, in Java-EE, COBOL, and. NET where enough applications reported their development location, comparisons on security scores were made between software developed in-house versus outsourced and onshore versus offshore.
Table 4-2 indicates that the only significant difference( p <. 05, n. s. = not significant) observed in applications across three languages was between Java-EE applications developed on-shore versus off-shore. However, this difference accounted for a negligible 1 % of the variation in security scores. In essence, there was little difference in the number of weaknesses per KLOC based on whether the software was developed onshore versus offshore or in-house versus outsourced.
10 May 2025