Title :
An Empirical Study of the Evolution of PHP Web Application Security
Author :
Doyle, Maureen ; Walden, James
Author_Institution :
Dept. of Comput. Sci., Northern Kentucky Univ., Highland Heights, KY, USA
Abstract :
Web applications are increasingly subject to mass attacks, with vulnerabilities found easily in both open source and commercial applications as evinced by the fact that approximately half of reported vulnerabilities are found in web applications. In this paper, we perform an empirical investigation of the evolution of vulnerabilities in fourteen of the most widely used open source PHP web applications, finding that vulnerabilities densities declined from 28.12 to 19.96 vulnerabilities per thousand lines of code from 2006 to 2010. We also investigate whether complexity metrics or a security resources indicator (SRI) metric can be used to identify vulnerable web application showing that average cyclomatic complexity is an effective predictor of vulnerability for several applications, especially for those with low SRI scores.
Keywords :
Internet; security of data; PHP Web application security; average cyclomatic complexity; complexity metrics; mass attacks; security resources indicator metric; vulnerabilities densities; Aggregates; Complexity theory; Encyclopedias; Security; Software; Software measurement; code complexity; security metrics; software security; static analysis;
Conference_Titel :
Security Measurements and Metrics (Metrisec), 2011 Third International Workshop on
Conference_Location :
Banff, AB
Print_ISBN :
978-1-4673-1245-5
DOI :
10.1109/Metrisec.2011.18
