Technology Stacks of Web Applications, 2020

Summary of Total Vulnerabilities

Developing a web application requires multiple decisions to be made at an early stage. One of those decisions is the technology stack. While, in many cases, it would boil down to a personal choice, the typical factors include developers experience, production cost and project time frame.

The operating cost of a production environment can increase significantly when one has to deal with frequent security fixes on both the application and the technology stack. In this article, I have summarized the number of security vulnerabilities in the popular technology stacks in the last 3 years, ie., 2017–2020.

CVEs on Technology Stacks, 2017–2020

Individual Components of the Stack

Some of the popular technology stacks are LAMP, LEMP and MEAN. They can be split into two parts, server stack and application stack. The common server stacks are, LA which stands for Linux and Apache HTTP server, and LE which stands for Linux and nginx (Engine X). The application stacks are MP which stands for Mysql/MariaDB with PHP/Perl/Python, MN which stands for MongoDB with Node.js. There are other stacks available such as Rails, LYCE and so on, which are out of scope of this article.

To summarize the vulnerabilities, we can either find the security fixes on individual components of the stack, or the security fixes that a stable linux distribution provides. In this article, we have chosen the former.

A summary of the individual components, their version and vulnerabilities in the last 3 years are as follows,

Component (Version)   CVEs   Source
Linux (4.9.1–.230)    90     Changelog
Apache HTTPd (2.4)    34     Changelog
Nginx (1.10+)         8      Changelog
MariaDB (10.2.6+)     81     CVE List
MongoDB (4.0)         4      Release Notes
PHP (7.2+)            57     Changelog
Python (3.6+)         14     Changelog
Node.js (8.x–10.x)    35     Changelog

The above numbers are likely the lower bound, and the actual number of CVEs could be higher. Additionally, there are several other dependencies that are integral part of the technology stack which can have vulnerabilities, such as OpenSSL. Hence, even if not all vulnerabilities are relevant, there will be a noticeable cost in keeping the production environment secure.

Conclusion

To summarize, the number of vulnerabilities by technology stack in the last 3 years is,

Stack   Components       CVEs
LAMP    Linux            262
        Apache HTTPd
        Maria DB
        PHP
LEMP    Linux            193
        Nginx
        Maria DB
        Python 
MEAN    Linux            137
        Nginx
        Mongo DB
        Node.js

One shouldn’t conclude based on the above numbers that one stack is more secure than the other. Given time, with sufficient development of the newer stacks, more and more vulnerabilities will likely be added and discovered.

Hence, it is important to keep the technology stack of web applications updated regularly. Additionally, all internal sites should be protected by one of several methods, such as VPN, authentication proxies or SSL client certificates as detailed in our article on server protection.

We provide a solution to protect internal sites, in an easier way, with 0th Root Secure Network — 0SNet. It uses TLS client certificate verification, along with authentication and authorization, for a triple layer security. It provides a certificate manager for seamless management of TLS certificates, a user manager for authentication and a role based access controls system for authorization.

Know more at, www.0snet.com