Learnings from Sqreen’s State of App Sec report: PHP apps are 3x more likely to be exploited

With each passing year, we move more and more aspects of our lives online. The line between the online and the offline is becoming thinner and thinner as time goes by. In this scenario, saying that digital security matters is as true as it is obvious. Getting application security wrong can have dramatic consequences for organizations and individuals. That’s the dilemma of security: it’s both incredibly important to get right and amazingly easy to get wrong. 

And people do get it wrong. A lot. 

Because of that, initiatives to educate developers and other IT professionals on security topics are essential. And education starts with understanding the state of security today, which is why Sqreen put together the industry’s first State of Application Security Report using actual exploit attempts at runtime. 

To produce the report, Sqreen looked at real, anonymized runtime data to obtain insights about the most common security exploits. The report covers findings from apps written in several different programming languages. This post summarizes the findings from the report that relate to a single language: PHP. 

We’ll begin by covering the Sqreen’s State of App Sec Report. You’ll learn more about the report, the reasons behind its creation, and how it was produced. After that, you’ll reach the main part of the post, where we’ll share the report’s main learnings. Though some of the findings you’ll learn about are related to all analyzed applications, most of them concern PHP only. Finally, we’ll share some advice on how you can protect your PHP apps from the vulnerabilities discussed. 

Let’s get to it! 

State of Application Security report from Sqreen: A brief overview

Before we move on to the PHP-specific parts of the post, let’s take a brief diversion to discuss the State of App Sec report itself. Why and how was it created? And how does it differ from other security reporting initiatives? 

What is the State of Application Security report?

The 2020 State of Application Security Report is the first security report by Sqreen. Sqreen analyzed many real security exploits over a wide array of programming languages and frameworks. Sqreen used this data to obtain insights about the most common security threats to web applications and the scenarios most susceptible to them. 

The State of Application Security Report differs from other available security reports in that it draws from real user data, in the form of actual security exploits across a variety of applications written in many different programming languages. 

By relying on real data instead of self-reported data, Sqreen’s report gives readers a true look into the current state of application security. 

Why did Sqreen create this report?

As we mentioned earlier, security matters today more than ever before. By creating and releasing the report, Sqreen means to contribute to the never-ending journey of improving application security. By reading the report, teams and organizations will finally know the main security problems their tech stacks are most vulnerable to. 

Learning from a report backed by real data gives organizations the knowledge and confidence they need to make informed decisions when planning and implementing security strategies. Knowing the most important security threats they might suffer from helps them prioritize and allocate their resources in the most efficient way possible. 

How was the report created?

Between June 2018 and July 2020, Sqreen analyzed anonymized data from real customer environments. What did they find? A staggering number of 6,184 security incidents. These events attempted to exploit serious security vulnerabilities across almost 4,000 apps created by organizations of all sizes. 

What can we learn about PHP applications (and general security) from the report?

The report analyzed apps written in PHP, Ruby, Python, Java, and Node.js. It found that across those five languages, 9% of all apps suffered a severe exploit. This number is bad enough by itself. However, when it gets to PHP specifically, things get worse. 

The report found that almost 20% of applications written in PHP suffered at least an attempted exploit. For apps written in other languages, the average fluctuated around 7%. In other words, according to the report’s findings, PHP apps were almost three times as likely to be exploited than apps created in different languages. 

Why is that the case? What makes PHP apps more vulnerable? Is it something intrinsic to the language, or are there other reasons? 

PHP as a language has attracted a lot of criticism over the years. To be fair, some of it was deserved, but the language has come a long way since then. Nowadays, if you use the most up-to-date versions of the language and always follow the main security best practices, you’re not intrinsically at more risk than developers using other languages. 

So, what’s the reason behind PHP applications being disproportionately more exploited? 

Well, as it turns out, there are plenty of people that neither use the latest PHP version nor follow security best practices. So, legacy PHP code is probably the main reason behind PHP being the most exploited language. As applications get older, they often don’t receive the most recent security updates, making them easier targets for malicious individuals. Also, applications written before the use of PHP frameworks became widespread might have been written without security best practices and conventions in mind. 

What should you do to secure your PHP apps? Here are a few suggestions: 

  • Incorporate security into your software development pipeline.
  • Review third party code, especially vulnerable open-source dependencies.
  • Learn about and leverage approaches that can protect your application against attacks across multiple layers.

If you want to learn more, checkout Sqreen’s PHP security checklist

PHP security: Don’t let it be an afterthought

When talking about digital security, it’s hard to find words that accurately describe its importance. Words like “crucial,” “vital,” and “essential,” despite being good candidates, don’t seem to translate how critical online security really is. 

Why is that the case? Well, as time goes by, the online and offline aspects of our lives seem to get closer and closer. It looks like we’re getting near the point where the distinction won’t matter—or even exist—at all. When we reach that point, phrases like “online security” or “digital security” will sound anachronistic to our ears. In the (maybe not so distant) future, all security will be digital security. 

Developers and security people both have a role to play in this transition. And that role is simple, though not necessarily easy: developers have to get good at security, and security people have to help them. You have to not only educate yourself on the topic but help your coworkers get educated as well. 

Luckily, after reading this post, you’re off to a great start. You’ve learned about security vulnerabilities in PHP and what you can do to protect your applications from them. 

If you want to learn more, read the complete report or check out or post on the Sqreen State of App Sec Report Key Takeaways Blog. Thanks for reading, and until next time! 


This post was written by Carlos Schults. Carlos is a .NET software developer with experience in both desktop and web development, and he’s now trying his hand at mobile. He has a passion for writing clean and concise code, and he’s interested in practices that help you improve app health, such as code review, automated testing, and continuous build.

Notify of
Inline Feedbacks
View all comments