Software errors and complexity: an empirical investigation0
Communications of the ACM
An empirical study of operating systems errors
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Security of open source web applications
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Idea: java vs. PHP: security implications of language choice for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
| Hi-index | 0.01 |
Many web applications have evolved into complex software ecosystems, consisting of a core maintained by a set of long term developers and a range of plugins developed by third parties. The security of such applications depends as much on vulnerabilities found in plugins as it does in vulnerabilities in the application core. In this paper, we present a study of vulnerabilities in twelve open source web applications and 13,778 plugins for those applications. We used automated static analysis tools to count vulnerabilities. Plugins made up 93% of the aggregate code base of 10.2 MLOC and contained 92% of the 125,110 vulnerabilities found. Comparing the aggregate plugin source code of each project with its code, we found that four projects had more secure core code than plugin code, as measured by vulnerability density (vulnerabilities per thousand lines of code), while eight projects had plugin code that was more secure than core code. Vulnerability density was significantly correlated with code size for both core code and plugins. We also analyzed the density of individual vulnerability categories, finding plugins to have many more cross-site vulnerabilities and fewer injection vulnerabilities than core code.