This article explores Volume 2 of a four-part report series. Read the first article here.
Last week, Sonar launched The State of Code, a report series that provides a look behind the curtain into the real-world state of software development. Today we’re releasing a second report focused on security issues in large codebases as a follow-up to our code reliability report.
This isn’t about hypotheticals. We analyzed a massive dataset from the last six months of 2024—encompassing more than 7.9 billion lines of code from over 970,000 developers—to identify the most common security issues developers encounter in their daily work.
Our analysis found about 1,200 security issues for every million lines of code. Sonar categorizes these issues into three main types to help developers prioritize their work. First, our Static Application Security Testing (SAST) engine finds vulnerabilities (issues that could be directly exploited by attackers and require immediate action) as well as security hotspots (sensitive areas of code that require a manual review to ensure they don't pose a threat). In addition to these security issues, our powerful secrets detection identifies hardcoded credentials like passwords, API keys, and tokens left in the source code.
This article dives into the most frequent security issues we uncovered, why they matter, and how to stop them before they ever reach production.
Top vulnerability: Log injection attacks
The most common security vulnerability we found relates to log injection attacks. This occurs when an application writes unsanitized user-supplied data directly into its logs.
While it may not result in a vulnerability with the application on its own, the primary danger of a log injection lies in its ability to deceive. For example, an attacker could try to log into a system with a username that includes special characters, like: Guest%0d%0aLogin Succeeded for user 'admin'. If the application doesn't sanitize this input, it will write the string to the log file. The special characters (%0d%0a) create a new line, resulting in a fake log entry that looks like a legitimate administrator login. This false trail can mask the attacker's actual activities, mislead security analysts during an investigation, and potentially allow a breach to go undetected for much longer.
- Why it's a problem: For developers, administrators, and security analysts, logs are a vital tool for debugging, monitoring, and investigating incidents. When an attacker can forge log entries, they can obscure their activities, frame innocent users, or cause the logs to become so corrupted they’re useless for troubleshooting. For leaders, this is a nightmare. It cripples incident response, blinds security teams, and allows attackers to operate undetected for longer periods, increasing the potential damage of a breach.
- How to fix it: The key is to never trust user-supplied data. Developers should always validate or sanitize data before writing it to logs. SonarQube makes this easy by automatically detecting log injection vulnerabilities as you code as part of its SAST capability. With real-time feedback in the IDE and quality gates integrated into your CI/CD pipeline, you can ensure that your code is handling data safely and that these vulnerabilities are caught and remedied long before they can be exploited.
Top hotspot: Cross-site scripting (XSS)
Another frequent vulnerability our analysis found involves reflected cross-site scripting (XSS) attacks. XSS happens when an application includes unsanitized user input in its HTTP responses, allowing an attacker to inject malicious scripts into the web page that is delivered to other users.
In 2018, British Airways suffered a major data breach when attackers compromised its website using an XSS attack. The malicious script was injected into the payment page, allowing the attackers to skim the credit card details of hundreds of thousands of customers.
- Why it's a problem: XSS attacks undermine the trust between a user and an application. Attackers can use them to steal session cookies, capture login credentials, deface websites, or redirect users to malicious sites. For developers, this represents a fundamental failure to secure the user experience. For business leaders, a successful XSS attack can lead to significant financial loss, regulatory fines, and severe reputational damage.
- How to fix it: To prevent an XSS attack, all user input must be encoded or sanitized before it is included in an HTTP response. SonarQube helps development teams build secure applications from the start by identifying XSS vulnerabilities in real time. By providing clear, actionable feedback within the development workflow, Sonar empowers developers to apply the latest security best practices and ensure their code is resilient against these common attacks.
Build a secure foundation for tomorrow
Understanding and addressing these common security pitfalls is about more than just checking boxes for compliance—it's about building a stable and trustworthy foundation for your applications. In an era where AI coding assistants are generating more code than ever, the quality and security of our existing codebases are paramount, as this code is the primary data used to train these powerful new tools.
These findings are just the beginning. Download The State of Code: Security report today to see:
- The top five security vulnerabilities and hotspots we found in nearly 8 billion lines of code
- A closer look at the most frequently found source code secrets
- Actionable solutions to help you eliminate these issues
Stay tuned for the next reports in our series, where we’ll explore the top maintainability pitfalls and language-specific challenges impacting codebases globally.