Software Metrics: A Rigorous and Practical Approach
Software Metrics: A Rigorous and Practical Approach
Static analysis tools as early indicators of pre-release defect density
Proceedings of the 27th international conference on Software engineering
Mining metrics to predict component failures
Proceedings of the 28th international conference on Software engineering
Have things changed now?: an empirical study of bug characteristics in modern open source software
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Evaluating static analysis defect warnings on production software
PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
An empirical model to predict security vulnerabilities using code complexity metrics
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
Is complexity really the enemy of software security?
Proceedings of the 4th ACM workshop on Quality of protection
Cross-project defect prediction: a large scale experiment on data vs. domain vs. process
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Security of open source web applications
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
The beauty and the beast: vulnerabilities in red hat’s packages
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Impact of plugins on the security of web applications
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Exploring the relationship betweenweb application development tools and security
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
A comparison between JAVA and PHP
Proceedings of the International C* Conference on Computer Science and Software Engineering
| Hi-index | 0.00 |
While Java and PHP are two of the most popular languages for open source web applications found at freshmeat.net, Java has had a much better security reputation than PHP. In this paper, we examine whether that reputation is deserved. We studied whether the variation in vulnerability density is greater between languages or between different applications written in a single language by comparing eleven open source web applications written in Java with fourteen such applications written in PHP. To compare the languages, we created a Common Vulnerability Metric (CVM), which is the count of four vulnerability types common to both languages. Common Vulnerability Density (CVD) is CVM normalized by code size. We measured CVD for two revisions of each project, one from 2006 and the other from 2008. CVD values were higher for the aggregate PHP code base than the Java code base, but PHP had a better rate of improvement, with a decline from 6.25 to 2.36 vulnerabilities/KLOC compared to 1.15 to 0.63 in Java. These changes arose from an increase in code size in both languages and a decrease in vulnerabilities in PHP. The variation between projects was greater than the variation between languages, ranging from 0.52 to 14.39 for Java and 0.03 to 121.36 in PHP for 2006. We used security and software metrics to examine the sources of difference between projects.