How Secure is your Web App? Open Source PHP Web Applications Security Review

Speaker: Professor Maureen Doyle, Northern Kentucky University

Venue: 255 FPAT (Engineering Tower)


We will present the results of an empirical study of fourteen widely used open source PHP web applications. We found that the vulnerability density of the aggregate code base decreased from 8.88 vulnerabilities/KLOC to 3.30 from Summer 2006 to Summer 2008. Individual web applications varied widely, with vulnerability densities ranging from 0 to 121.4 at the beginning of the study. While the total number of security problems decreased, vulnerability density increased in eight of the fourteen applications over the analysis period. We developed a security resources indicator metric, which we found to be strongly correlated (rho = 0:67; p < 0.05) with change in vulnerability density over time. Traditional software metrics, such as code size, cyclomatic complexity, nesting complexity, and churn, had significant (p < 0:05) but much smaller correlations (rho = 0:31 at best) with vulnerability density. Vulnerability density was measured using the Fortify Source Code Analyzer static analysis tool.

(Joint work with James Walden)

Host: Professor J. Goldsmith.

Speaker's personal page.