An empirical study of the evolution of PHP web application security

Proceedings - 2011 3rd International Workshop on Security Measurements and Metrics, Metrisec 2011

Volumn , Issue , 2011, Pages 11-20

  Doyle, Maureen ^a   Walden, James ^a  

^a NORTHERN KENTUCKY UNIVERSITY   (United States)

Author keywords

code complexity; security metrics; software security; static analysis

Indexed keywords

NETWORK SECURITY; OPEN SOURCE SOFTWARE; OPEN SYSTEMS;

CODE COMPLEXITY; COMMERCIAL APPLICATIONS; COMPLEXITY METRICS; CYCLOMATIC COMPLEXITY; EMPIRICAL INVESTIGATION; PHP WEB APPLICATIONS; SECURITY METRICS; SOFTWARE SECURITY;

STATIC ANALYSIS;

EID: 84859046238     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/Metrisec.2011.18     Document Type: Conference Paper

References (25)

1. C. Bird et al., "The Promises and Perils of Mining Git,"pp.1-10, 2009 6th IEEE International Working Conference on Mining Software Repositories, 2009.
2. BuildBot, http://trac.buildbot.net/wiki/SuccessStories, accessed June 4, 2011.
3. I.Chowdhury and M.Zulkernine. 2011. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57, 3 (March 2011), 294-313.
4. S.M. Christey (CVE Editor), "Open Letter on the Interpretation of Vulnerability Statistics,"http://seclists.org/bugtraq/2006/Jan/0060.html, January 4, 2006.
5. S.M. Christey and R. A. Martin, http://www.cve.mitre.org/docs/vuln- trends/index.html, published May 22, 2007.
6. http://pear.php.net/package/PHP CodeSniffer/ accessed June 4, 2011.
7. Coverity, "Coverity Scan: 2010 Open Source Integrity Report," http://www.coverity.com/library/pdf/coverity-scan-2010-open-source-integrity- report.pdf, Nov 1, 2010.
8. http://cve.mitre.org/cve/editorial policies/cd abstraction.html, accessed June 4, 2011.
9. Fortify Security Research Group and Larry Suto, "Open Source Security Study," http://www.fortify.com/landing/oss/oss report.jsp, July 2008.
10. M. Gegick and L. Williams. 2007. "Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components." In Proceedings of the Second International Conference on Internet Monitoring and Protection (ICIMP '07). IEEE Computer Society, Washington, DC, USA.
11. M. Gegick, L. Williams, J. Osborne, and M. Vouk. 2008. Prioritizing software security fortification through code-level metrics. In Proceedings of the 4th ACM workshop on Quality of protection (QoP '08). ACM, New York, NY, USA, 31-38.
12. IBM Global Technology Services, "IBM Internet Security Systems X-Force 2010 Trend and Risk Report", http: //www-935.ibm.com/services/us/ iss/xforce/trendreports/, published March 2011.
13. F. Massacci, S. Neuhaus, and V. Nguyen. 2011. "After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes." In Proceedings of the Third international conference on Engineering secure software and systems (ESSoS'11), Springer-Verlag, Berlin, Heidelberg, 195-208.
14. F.Rashid, "LizaMoon Mass SQL Injection Attack Points to Rogue AV Site," eWeek, http://www.eweek.com/c/a/Security/LizaMoon-Mass-SQL- Injection-Attack-Points-to-Rogue-AV-Site-852537/, March 29, 2011.
15. T.J. McCabe, "A Complexity Measure", IEEE Transactions on Software Engineering, 2(4), IEEE Press, New York, 1976, pp. 308-320.
16. G. McGraw, Software Security: Building Security In, Boston, NY, Addison-Wesley, 2006.
17. N. Nagappan and T. Ball, "Static analysis tools as early indicators of pre-release defect density", Proceedings of the 27th International Conference on Software Engineering, Association of Computing Machinery, New York, 2005, pp. 580 - 586.
18. N. Nagappan, T. Ball, and A. Zeller, "Mining Metrics to Predict Component Failures", Proceedings of the 28th International Conference on Software Engineering, Association of Computing Machinery, New York, 2006, pp. 452-461.
19. NVD, http://nvd.nist.gov/, accessed June 4, 2011.
20. OWASP, https://www.owasp.org/index.php/Top 10 2010-Main, accessed June 4, 2011.
21. G. Robles. "Replicating MSR: A Study of the Potential Replicability of Papers Published in the Mining Software Repositories Proceedings." In Proceedings of the Working Conference on Mining Software Repositories, 2010.
22. Y.Shin, A.Meneely, L.Williams, J.Osbourne, Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities, IEEE Transactions in Software Engineering, to appear, 2011.
23. J.Walden, M.Doyle, G.Welch, M.Whelan, "Security of Open Source Web Applications," Proc. International Workshop on Security Measurements and Metrics (MetriSec'09), Lake Buena Vista, Florida, Oct. 14, 2009.
24. Web Application Security Consortium, Web Application Hacking Incident Database, http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident- Database, accessed June 4, 2011.
25. D.A. Wheeler, http://www.dwheeler.com/sloccount/ accessed June 4, 2011.