1 / 27

Security of Open Source Web Applications

Security of Open Source Web Applications. Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna. Outline. Research Objective Evolution of Web App Security Security Resource Indicator Vulnerability Type Analysis

pia
Download Presentation

Security of Open Source Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security of Open Source Web Applications Maureen Doyle, James WaldenNorthern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna

  2. Outline • Research Objective • Evolution of Web App Security • Security Resource Indicator • Vulnerability Type Analysis • Code Metrics • Analysis Limitations • Conclusion University of Kentucky

  3. Research Objective Goal: Identify predictors for vulnerability density (VD) and change in VD for open source web applications. Research questions: • Can software security practices predict evolution of VD over time? • Can code size or complexity predict VD? • Can code change metrics predict VD? University of Kentucky

  4. Related Work Static Analysis • Nagappan and Ball, ICSE 2005a • Coverity Open Source Report 2009 • Fortify Open Source Security Study 2008 Complexity and Change Metrics • Nagappan and Ball, ICSE 2005b • Nagappan, Ball, and Zeller, ICSE 2006 • Shin and Williams, QoP 2008 University of Kentucky

  5. Measuring Vulnerabilities Reported Vulnerabilities in NVD or OSVD • Coarse-grained time evolution. • Difficult to correlate with revision. • Undercounts actual vulnerabilities. Dynamic Analysis • Expensive. • False positives and negatives. • Requires installation of application. Static Analysis • Expensive. • False positives and negatives. • Static Analysis Vulnerability Density = vulns/kloc. University of Kentucky

  6. Samples Selection process • PHP web applications from freshmeat.net. • Subversion repository with 100 weeks of revisions. Revisions • One revision selected per week for analysis. Range of projects • 14projectsmet selection criteria. • 5,800 to 388,000 lines of code (2008). • Removing highest & lowest, SLOC range of 25-150 kloc. University of Kentucky

  7. General Results Overall securityimprovement. • first week average: 8.88 vulns/kloc • final week average: 3.30 vulns/kloc Average SAVD highvs. Coverity’s 0.30 SAVD. • Language differences: C/C++ vs. PHP. • Vulnerability differences • buffer overflows vs XSS/SQL. No correlation with NVD vulnerabilities. • NVD correlated with freshmeat popularity. University of Kentucky

  8. Evolution of SAVD: 2006-2008 University of Kentucky

  9. Variation between Web Apps University of Kentucky

  10. Example: Addressing Security Issues University of Kentucky

  11. Security Resource Indicator Public security resources on project site • URL for installation or configuration security • Dedicated address to report security bugs • Database of known security vulnerabilities • Documentation of secure development practices Results • Correlation of r = 0.67 (p < 0.05) with D SAVD University of Kentucky

  12. Security Resource Indicator University of Kentucky

  13. Vulnerability Type Analysis 2006 2008 University of Kentucky

  14. Type Changes: 2006-2008 University of Kentucky

  15. Changes by Vulnerability Type University of Kentucky

  16. Severity Class Changes: 2006-2008 University of Kentucky

  17. 1 1. do loop 2. stmt 3. end loop 2 3 CC = E – N + 2 P = 3 – 3 + 2*1 Code Metrics Size measure • Source Lines of Code (SLOC) Complexity measures • Cyclomatic Complexity • Nesting Complexity • Maximum, average, total Change measures • Churn = lines added + changed • Lines deleted University of Kentucky

  18. Code Metrics (All releases) University of Kentucky

  19. Code Metrics (1st, Final release) University of Kentucky

  20. Analysis Limitations May not apply to apps that didn’t meet criteria • Non-PHP applications • No SVN repository with two years of history False positives • 18.1% rate from two sample applications • Coverity found a rate under 14% for their study SAVD will differ between static analysis tools University of Kentucky

  21. Conclusions OS PHP web app security improved: • 8.88 to 3.30 SAVD from 2008 to 2006. • But 8 of 14 apps increased SAVD over period. SRI can indicate which apps will improve. No single code metric is predictive for SAVD. • Complexity is an indicator for SAVD. • Churn is not an indicator for SAVD. University of Kentucky

  22. Future Work Why does app security vary so much? • Analyze security processes for each app. How do we validate SAVD measurement? • NVD count correlates with popularity. Java web applications • How does Java SAVD compare with PHP SAVD? • How do trends compare between Java and PHP? • More software metrics available for Java. University of Kentucky

  23. Extra Slides University of Kentucky

  24. SAVD vs Time and Size University of Kentucky

  25. SAVD vs. Nesting University of Kentucky

  26. SAVD vs. Churn University of Kentucky

  27. University of Kentucky

More Related