Security of open source web applications

Authors:
James Walden;Maureen Doyle;Grant A. Welch;Michael Whelan
Affiliations:
Department of Computer Science Northern Kentucky University, Highland Heights, KY 41099;Department of Computer Science Northern Kentucky University, Highland Heights, KY 41099;Department of Computer Science Northern Kentucky University, Highland Heights, KY 41099;Department of Computer Science Northern Kentucky University, Highland Heights, KY 41099
Venue:
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Year:
2009

Citing 10
Cited 5

Software Metrics: A Rigorous and Practical Approach

Software Metrics: A Rigorous and Practical Approach
Software Defect Reduction Top 10 List

Computer
Use of relative code churn measures to predict system defect density

Proceedings of the 27th international conference on Software engineering
Static analysis tools as early indicators of pre-release defect density

Proceedings of the 27th international conference on Software engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Mining metrics to predict component failures

Proceedings of the 28th international conference on Software engineering
Milk or wine: does software security improve with age?

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
A Complexity Measure

IEEE Transactions on Software Engineering
An empirical model to predict security vulnerabilities using code complexity metrics

Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
Is complexity really the enemy of software security?

Proceedings of the 4th ACM workshop on Quality of protection

Impact of plugins on the security of web applications

Proceedings of the 6th International Workshop on Security Measurements and Metrics
Idea: java vs. PHP: security implications of language choice for web applications

ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Proceedings of the 2013 International Conference on Software Engineering
Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

Information and Software Technology
Automatic detection and correction of web application vulnerabilities using data mining to predict false positives

Proceedings of the 23rd international conference on World wide web

Quantified Score

Hi-index	0.00

Visualization

Abstract

In an empirical study of fourteen widely used open source PHP web applications, we found that the vulnerability density of the aggregate code base decreased from 8.88 vulnerabilities/KLOC to 3.30 from Summer 2006 to Summer 2008. Individual web applications varied widely, with vulnerability densities ranging from 0 to 121.4 at the beginning of the study. While the total number of security problems decreased, vulnerability density increased in eight of the fourteen applications over the analysis period. We developed a security resources indicator metric, which we found to be strongly correlated (ρ =0.67,p