Title :
Security of open source web applications
Author :
Walden, James ; Doyle, Maureen ; Welch, Grant A. ; Whelan, Michael
Author_Institution :
Dept. of Comput. Sci., Northern Kentucky Univ., Highland Heights, KY, USA
Abstract :
In an empirical study of fourteen widely used open source PHP Web applications, we found that the vulnerability density of the aggregate code base decreased from 8.88 vulnerabilities/KLOC to 3.30 from Summer 2006 to Summer 2008. Individual web applications varied widely, with vulnerability densities ranging from 0 to 121.4 at the beginning of the study. While the total number of security problems decreased, vulnerability density increased in eight of the fourteen applications over the analysis period. We developed a security resources indicator metric, which we found to be strongly correlated (rho = 0.67, p < 0.05) with change in vulnerability density over time. Traditional software metrics, such as code size, cyclomatic complexity, nesting complexity, and churn, had significant (p < 0.05) but much smaller correlations (rho = 0.31 at best) with vulnerability density. Vulnerability density was measured using the fortify source code analyzer static analysis tool.
Keywords :
Internet; security of data; software metrics; churn value; code size; cyclomatic complexity; fortify source code analyzer static analysis tool; nesting complexity; open source Web application security; security resources indicator metric; software metric; vulnerability density; Aggregates; Application software; Computer crime; Computer science; Computer security; Density measurement; Open source software; Software engineering; Software measurement; Software metrics;
Conference_Titel :
Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on
Conference_Location :
Lake Buena Vista, FL
Print_ISBN :
978-1-4244-4842-5
Electronic_ISBN :
1938-6451
DOI :
10.1109/ESEM.2009.5314215
