Conference PaperPDF Available

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

Authors:

Abstract and Figures

While Java and PHP are two of the most popular languages for open source web applications found at freshmeat.net , Java has had a much better security reputation than PHP. In this paper, we examine whether that reputation is deserved. We studied whether the variation in vulnerability density is greater between languages or between different applications written in a single language by comparing eleven open source web applications written in Java with fourteen such applications written in PHP. To compare the languages, we created a Common Vulnerability Metric (CVM), which is the count of four vulnerability types common to both languages. Common Vulnerability Density (CVD) is CVM normalized by code size. We measured CVD for two revisions of each project, one from 2006 and the other from 2008. CVD values were higher for the aggregate PHP code base than the Java code base, but PHP had a better rate of improvement, with a decline from 6.25 to 2.36 vulnerabilities/KLOC compared to 1.15 to 0.63 in Java. These changes arose from an increase in code size in both languages and a decrease in vulnerabilities in PHP. The variation between projects was greater than the variation between languages, ranging from 0.52 to 14.39 for Java and 0.03 to 121.36 in PHP for 2006. We used security and software metrics to examine the sources of difference between projects.
Content may be subject to copyright.
A preview of the PDF is not available
... As can be seen from the plot (b), cross-site scripting, structured query language (SQL) injection, and cross-site request forgery (CSRF) account for over 80% ranking conforms with existing results [13]. These observations also agree with existing results about typical weaknesses in typical PHP applications [9,37]. In general, the plugin vulnerabilities observed are supposedly not that different from the vulnerabilities that have affected the core WordPress itself [38]. ...
... Because the demand-side viewpoint pursued does not relate to security per se, some inaccuracies can be also accepted. In a similar vein: vulnerability counts should not be used to judge the security of a software product [24,37], but these are appropriate for analyzing incentives to find vulnerabilities. ...
... Given the background of security folklore, also this tentative recommendation can be seen as counterintuitive. Further security-related considerations include vulnerability density in terms of software size [9,10], the availability of security documentation and associated resources [37], and many related commonsense aspects [3]. Of course, it may also be that security is not a factor in adoption decisions, as hinted by a recent industry study [22]. ...
Conference Paper
WordPress has long been the most popular content management system (CMS). This CMS powers millions and millions of websites. Although WordPress has had a particularly bad track record in terms of security, in recent years many of the well-known security risks have transmuted from the core WordPress to the numerous plugins and themes written for the CMS. Given this background, the paper analyzes known software vulnerabilities discovered from WordPress plugins. A demand-side viewpoint was used to motivate the analysis; the basic hypothesis is that plugins with large installation bases have been affected by multiple vulnerabilities. As the hypothesis also holds according to the empirical results, the paper contributes to the recent discussion about common security folklore. A few general insights are also provided about the relation between software vulnerabilities and software maintenance.
... Para la construcción del SIGAP, se consideraron: i) los requerimientos de información requeridos por PROTOS y sus aliados; ii) el análisis realizado por Walden, Doyle, Lenhof, & Murray (2010), quienes hacen una evaluación de seguridad en aplicaciones realizadas utilizando JAVA y PHP; iii) la norma ISO/IEC 9126, que según la autora Cochea, (2009) está orientado a la calidad en uso del software y a la calidad interna/externa, considerando aspectos de funcionalidad, fiabilidad, usabilidad, eficiencia, mantenibilidad y portabilidad; iv) el estándar IEEE 12207, que establece las directrices para el aseguramiento de la calidad de software; v) la norma ISO 90003 que hace referencia al diseño e implementación de sistemas de gestión de la calidad con una especialización en el desarrollo de software; y vi) el estudio de un framework para el desarrollo, que en este caso fue PHP . ...
... El resultado del análisis sobre los lenguajes JAVA y PHP realizado por (Walden, Doyle, Lenhof, & Murray, 2010), concluyó que PHP ha obtenido una notable tasa de mejora en los últimos años, como producto del aumento del código. Considerando además las normas ISO/IEC 9126, IEEE 12207, e ISO 90003, se evaluó el framework de desarrollo CAKE PHP, el mismo que permitió agilizar el desarrollo de la aplicación, especialmente en la obtención de los reportes. ...
Conference Paper
Full-text available
Resumen La creación de nuevas plazas de trabajo de acuerdo a la Organización Internacional del Trabajo (OIT), será insuficiente en relación al crecimiento de la población económicamente activa; los índices de trabajo todavía se mantienen muy descendidos, pues la economía mundial no ha logrado generar los suficientes empleos (OIT, 2018). En el Ecuador la tasa de empleo adecuado presentó un incremento anual estadísticamente significativo de 2,6 p.p.; alcanzando en marzo de 2018 un 41,1%, según datos del INEC (Instituto Nacional de Estadísticas y Censos, 2018). Superar la actual crisis económica nos obliga a pensar en nuevos modelos productivos, que deben basarse en el conocimiento y la innovación; este planteamiento no es nuevo: Vannervar (1945), señaló que "la investigación científica vinculada al desarrollo tecnológico y a las empresas es la principal fuente de riqueza, progreso económico y competitividad" (p. 4). Bajo el supuesto de que el emprendimiento contribuye con el aumento de empleo y el desarrollo social, y que a los emprendimientos de base tecnológica se les atribuye un po-tencial mayor para el crecimiento económico de un país (Oakey, 1995), es crucial averiguar si existen factores diferenciales en este proceso emprendedor. El objetivo de este trabajo es recopilar información, de manera exploratoria, sobre las carac-terísticas que diferencian a un emprendedor tecnológico de un emprendedor no tecnológico. El grupo objetivo de esta investigación estará compuesto por personas de 18 a 60 años de edad, que formen parte de la Población Económicamente Activa (PEA), del área urbana del cantón Cuenca y que en los últimos cuatro años haya realizado algún tipo de emprendimien-to.
... The security of most systems and networks depends on the security of the software running on them. Most of the attacks on these systems exploit vulnerabilities found in these software applications [Walden et al., 2010]. Security failures in software are common and growing [Chowdhury and Zulkernine, 2011]. ...
... Because many new projects do not have enough historical data to train prediction models, we can use models estimated from training data available on other projects. PHP web applications are the focus of this paper since PHP has a poor security reputation within the open-source community and in comparison to Java, more than twice as many open-source web applications are written in PHP [Walden et al., 2010]. Within-project vulnerability prediction is built from a part of a project and evaluated on the remainder of the project. ...
Article
Full-text available
Building secure software is challenging, time-consuming, and expensive. Software vulnerability prediction models that identify vulnerable software components are usually used to focus security efforts, with the aim of helping to reduce the time and effort needed to secure software. Existing vulnerability prediction models use process or product metrics and machine learning techniques to identify vulnerable software components. Cross-project vulnerability prediction plays a significant role in appraising the most likely vulnerable software components, specifically for new or inactive projects. Little effort has been spent to deliver clear guidelines on how to choose the training data for project vulnerability prediction. In this work, we present an empirical study aiming at clarifying how useful cross-project prediction techniques are in predicting software vulnerabilities. Our study employs the classification provided by different machine learning techniques to improve the detection of vulnerable components. We have elaborately compared the prediction performance of five well-known classifiers. The study is conducted on a publicly available dataset of several PHP open-source web applications in the context of cross-project vulnerability prediction, which represents one of the main challenges in the vulnerability prediction field.
... Comparing both languages, this paper analyzes that the interoperability support of JAVA is greater than PHP. JAVA takes more time to program, but it is a stable application, covers much security problems and gives better influences [5]. Strongly typed language such as JAVA expressed their ability to produce robust, easily maintainable applications while lightweight language such as PHP is critical to provide infrastructure for component-based applications [6]. ...
Article
Full-text available
Every organization wants to automate the manual system for moving and storing their data in particular format. A QEC department takes feedback of teacher evaluation manually from the students in the university that is somehow more difficult to maintain the record of a teacher, more cost-effective and fewer chances to generate an accurate and optimized report. The computerized system has been developed that generates an accurate and optimized report, easy to maintain the record of the teacher. Lots of possibilities are available to design and develop the application using different programming languages. We have developed a network-based JAVA application and web-based PHP application to automate the manual system of teacher evaluation. The GUI of the application contains 18 questions as per policy of HEC which will be answered by the students. After submitting the answers to questions to the server, an excel report will be ready to generate. Our primary focus is to measure the performance of the server of a network-based JAVA application and web-based PHP application. Both forms contain the same scenario, but here we have to find which form is more suitable and beneficent for an organization in terms of their server's performance parameters like average response time, throughput, and standard deviation and data transfer rate.
... Comparing both languages, this paper analyzes that the interoperability support of JAVA is greater than PHP. JAVA takes more time to program, but it is a stable application, covers much security problems and gives better influences [5]. Strongly typed language such as JAVA expressed their ability to produce robust, easily maintainable applications while lightweight language such as PHP is critical to provide infrastructure for component-based applications [6]. ...
Article
Full-text available
Every organization wants to automate the manual system for moving and storing their data in particular format. A QEC department takes feedback of teacher evaluation manually from the students in the university that is somehow more difficult to maintain the record of a teacher, more cost-effective and fewer chances to generate an accurate and optimized report. The computerized system has been developed that generates an accurate and optimized report, easy to maintain the record of the teacher. Lots of possibilities are available to design and develop the application using different programming languages. We have developed a network-based JAVA application and web-based PHP application to automate the manual system of teacher evaluation. The GUI of the application contains 18 questions as per policy of HEC which will be answered by the students. After submitting the answers to questions to the server, an excel report will be ready to generate. Our primary focus is to measure the performance of the server of a network-based JAVA application and web-based PHP application. Both forms contain the same scenario, but here we have to find which form is more suitable and beneficent for an organization in terms of their server's performance parameters like average response time, throughput, and standard deviation and data transfer rate. © 2018 International Journal of Advanced Computer Science and Applications.
... PHP as a language has suffered security reputation problems. PHP challenges security were identified by [14] These security vulnerabilities were contained in the earlier versions of the language and have been fixed in the newer version of the language [15]. However, it is down to the skill, productivity and experience of the programmer to avoid such security traps. ...
Article
Enterprise applications are now becoming pervasive in our today's world simply because of the high demand for it by industries, government agencies, companies, and individuals for the purpose of enhancing their mode of operations. Several enterprise applications have been developed by business enterprises through which their products would not only be made available on the internet, but also enable their prospective consumers to be able to follow some procedures to make their purchases online. Bespoke applications are increasingly becoming common this days; this ensures that organizational needs are met readily. This is normally achieved with the help of some technologies such as Java, PHP and a host of others. This paper presents an analysis of these technologies with a view to finding out the most appropriate technology for adoption in bespoke applications development. It was found that Java has more security edge over PHP and has better language structure although PHP is simpler to learn.
... This can be verified from the sampled large and widely used PHP applications in this review. However, it is important to also note that the area of security with regards to php application has had rapid improvement and patching as can be confirmed by [17], With that being a very good indicator, more research has to be done on more invovative security implementations. Further more, the area of PHP Application aging is one other area of research that can give even more information with regards to the evolution of PHP applications. ...
Article
Full-text available
div class="WordSection1"> This paper reviews, some of the research work done in the evolution of PHP applications that have been around and are vastly used. PHP is currently one of the most popular programming languages, widely used in both the open source community and in industry to build large web-focused applications and application frameworks. This review looks at how PHP applications have evolved in terms of the use of libraries, the software maturity, adoption of object-orientation paradigm, the evolution of complexity and security. The results suggest that these systems undergo systematic maintenance and evolution is helping the underlying programming language to grow. </div
... The security of most systems and networks depends on the security of the software running on them. Most of the attacks on these systems occur because of exploiting vulnerabilities found in these software applications [15]. Security failures in software are common and growing [3]. ...
Conference Paper
Full-text available
Building secure software is challenging, time-consuming, and expensive. Software vulnerability prediction models that identify vulnerable software components are usually used to focus security efforts, with the aim of helping to reduce the time and effort needed to secure software. Existing vulnerability prediction models use process or product metrics and machine learning techniques to identify vulnerable software components. Cross project vulnerability prediction plays a significant role in appraising the most likely vulnerable software components, specifically for new or inactive projects. Little effort has been spent to deliver clear guidelines on how to choose the training data for project vulnerability prediction. In this work, we present an empirical study aiming at clarifying how useful cross project prediction techniques in predicting software vulnerabilities. Our study employs the classification provided by different machine learning techniques to improve the detection of vulnerable components. We have elaborately compared the prediction performance of five well-known classifiers. The study is conducted on a publicly available dataset of several PHP open source web applications and in the context of cross project vulnerability prediction, which represents one of the main challenges in the vulnerability prediction field.
Article
The integration of security aspects into software development is an open topic, especially in highly regulated industries where standards are accompanied by a high degree of complexity. The research question of this paper relates to the misconception of industry standards compliance and security in the field of software development. Cyber attackers are constantly inventing new tools to penetrate systems and exploit even the most minor flaws, and adherence to an industry standard is not a solution. In this study, an empirical investigation is conducted over a six-month period to observe various customer relationship management (CRM) systems. To analyze and anticipate the vulnerabilities of various CRMs, penetration testing methodologies and cross-project prediction approaches are employed. Classification using multiple machine learning approaches is utilized in the study to increase the discovery of vulnerable components in each CRM. The Student [Formula: see text]-test is also used to assess if the mean values of the two CRM datasets are substantially different from each other in order to evaluate the efficacy of overall security and its features. The results show that security best practices during application development have a significant influence on applications created in regulated environments. The action research approach used to validate this study provided positive results and its feasibility in practice to optimize security throughout the application development. This study adds to the literature on information security management systems (ISMS) and best practices in application development in terms of creating and implementing opportunities based on broader information security management measures.
Article
Full-text available
This study presents a water purification plant that uses the waste cake from the process of oil extraction of Moringa oleifera seeds. The particularity of this purification plant is that it should be autonomous to work in isolated areas. To do so, the design counts on solar panels and batteries controlled by a Supervisory Control And Data Acquisition (SCADA) system. The main objective of this study is the design and automation of the purification power plant so it can be used either manually or remotely by means of a web server and a micro controller in charge of data collection and to proceed orders from and to the web platform. In pursue of a cost reduction, caused by the development and implementation of hardware and software, this project is conceived using open source systems. Additionally, the plant counts on an Energy Management System that should optimize the energy consumption of the control system and actuators. This system is designed in such a way that it can be used independently in isolated mode or connected to the grid in regions where local authority regulations allows the connection of energy storage systems to the grid.
Article
Full-text available
We examine the code base of the OpenBSD operating system to determine whether its security is increasing over time. We measure the rate at which new code has been introduced and the rate at which vulnerabili- ties have been reported over the last 7.5 years and fifteen versions. We learn that 61% of the lines of code in today's OpenBSD are foundational: they were introduced prior to the release of the initial version we studied and have not been altered since. We also learn that 62% of re- ported vulnerabilities were present when the study began and can also be considered to be foundational. We find strong statistical evidence of a decrease in the rate at which foundational vulnerabilities are being re- ported. However, this decrease is anything but brisk: foundational vulnerabilities have a median lifetime of at least 2.6 years. Finally, we examined the density of vulnerabilities in the code that was altered/introduced in each version. The densities ranged from 0 to 0.033 vulnerabilities reported per thousand lines of code. These densities will increase as more vulnerabilities are reported.
Conference Paper
Full-text available
In an empirical study of fourteen widely used open source PHP Web applications, we found that the vulnerability density of the aggregate code base decreased from 8.88 vulnerabilities/KLOC to 3.30 from Summer 2006 to Summer 2008. Individual web applications varied widely, with vulnerability densities ranging from 0 to 121.4 at the beginning of the study. While the total number of security problems decreased, vulnerability density increased in eight of the fourteen applications over the analysis period. We developed a security resources indicator metric, which we found to be strongly correlated (rho = 0.67, p < 0.05) with change in vulnerability density over time. Traditional software metrics, such as code size, cyclomatic complexity, nesting complexity, and churn, had significant (p < 0.05) but much smaller correlations (rho = 0.31 at best) with vulnerability density. Vulnerability density was measured using the fortify source code analyzer static analysis tool.
Conference Paper
Full-text available
Static analysis tools for software defect detection are becoming widely used in practice. However, there is little public information regarding the experimental evaluation of the accuracy and value of the warnings these tools report. In this paper, we discuss the warn- ings found by FindBugs, a static analysis tool that finds defects in Java programs. We discuss the kinds of warnings generated and the classification of warnings into false positives, trivial bugs and se- rious bugs. We also provide some insight into why static analysis tools often detect true but trivial bugs, and some information about defect warnings across the development lifetime of software re- lease. We report data on the defect warnings in Sun's Java 6 JRE, in Sun's Glassfish JEE server, and in portions of Google's Java code- base. Finally, we report on some experiences from incorporating static analysis into the software development process at Google. Categories and Subject Descriptors F.3.2 (Semantics of Pro- grammingLanguages):Programanalysis; D.2.4(Software/Program Verification): Reliability General Terms Experimentation, Reliability, Security
Conference Paper
In an empirical study of 3241 Red Hat packages, we show that software vulnerabilities correlate with dependencies between packages. With formal concept analysis and statistical hypothesis testing, we identify dependencies that decrease the risk of vulnerabilities ("beauties") or increase the risk ("beasts"). Using support vector machines on dependency data, our prediction models successfully and consistently catch about two thirds of vulnerable packages (median recall of 0.65). When our models predict a package as vulnerable, it is correct more than eight times out of ten (median precision of 0.83). Our findings help developers to choose new dependencies wisely and make them aware of risky dependencies.
Article
Prediction of software defects works well within projects as long as there is a sufficient amount of data available to train any models. However, this is rarely the case for new software projects and for many companies. So far, only a few have studies focused on transferring prediction models from one project to another. In this paper, we study cross-project defect prediction models on a large scale. For 12 real-world applications, we ran 622 cross-project predictions. Our results indicate that cross-project prediction is a serious challenge, i.e., simply using models from projects in the same domain or with the same process does not lead to accurate predictions. To help software engineers choose models wisely, we identified factors that do influence the success of cross-project predictions. We also derived decision trees that can provide early estimates for precision, recall, and accuracy before a prediction is attempted.
Conference Paper
Software complexity is often hypothesized to be the enemy of software security. We performed statistical analysis on nine code complexity metrics from the JavaScript Engine in the Mozilla application framework to investigate if this hypothesis is true. Our initial results show that the nine complexity measures have weak correlation (ρ=0.30 at best) with security problems for Mozilla JavaScript Engine. The study should be replicated on more products with design and code-level metrics. It may be necessary to create new complexity metrics to embody the type of complexity that leads to security problems.
Conference Paper
Prediction of software defects works well within projects as long as there is a sufficient amount of data available to train any mod- els. However, this is rarely the case for new software projects and for many companies. So far, only a few have studies focused on transferring prediction models from one project to another. In this paper, we study cross-project defect prediction models on a large scale. For 12 real-world applications, we ran 622 cross-project predictions. Our results indicate that cross-project prediction is a serious challenge, i.e., simply using models from projects in the same domain or with the same process does not lead to accurate predictions. To help software engineers choose models wisely, we identified factors that do influence the success of cross-project predictions. We also derived decision trees that can provide early estimates for precision, recall, and accuracy before a prediction is attempted. Categories and Subject Descriptors. D.2.8 (Software Engineer- ing): Metrics—Performance measures, Process metrics, Product metrics. D.2.9 (Software Engineering): Management—Software quality assurance (SQA)
Conference Paper
What is it that makes software fail? In an empiric al study of the post-release defect history of five Microsoft softw are systems, we found that failure-prone software entities are stat istically correlated with code complexity measures. However, there is no single set of complexity metrics that could act as a universally best defect predictor. Using principal component a nalysis on the code metrics, we built regression models that accur ately predict the likelihood of post-release defects for new enti ties. The approach can easily be generalized to arbitrary pro jects; in particular, predictors obtained from one project ca n also be significant for new, similar projects.
Conference Paper
Complexity is often hypothesized to be the enemy of software security. If this hypothesis is true, complexity metrics may be used to predict the locale of security problems and can be used to prioritize inspection and testing efforts. We performed statistical analysis on nine complexity metrics from the JavaScript Engine in the Mozilla application framework to find differences in code metrics between vulnerable and non- vulnerable code and to predict vulnerabilities. Our initial results show that complexity metrics can predict vulnerabilities at a low false positive rate, but at a high false negative rate.