Open Access
Subscription Access
Open Access
Subscription Access
Are Open Source Web Applications Secure? Static Analysis Findings
Subscribe/Renew Journal
Open source web applications are really taking over major businesses. The main inspiration claimed for these applications are security, popularity, and availability. In this work, Static analysis of the source code of multiple open-source web applications is performed in order to investigate the security vulnerabilities of these applications. The applications and static analysis tools are selected from open source community based on defined criteria of a number of downloads per week and user reviews. The results achieved are validated through both manual and automated inspections. It was found that most of the open source applications suffer from security issues and common vulnerabilities such as Cross-Site Scripting (XSS), access-modifiers and HTTP response splitting. After a detailed analysis of the results of different open source applications, the ischolar_main causes identified were lack of programming experience, usage of customized programming constructs, instead of built-in constructs and lack of coding standards.
Keywords
Open Source, Security, Vulnerabilities, Web Applications.
Subscription
Login to verify subscription
User
Font Size
Information
- A. Deshpande, and D. Riehle, “The total growth of open source,” in Open Source Development Communities and Quality, vol. 275, no. December 2006, pp. 197-209, 2008.
- J. Wal, M. Doyle, G. A. Welch, and M. Whelan, “Security of open source web applications,” in 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 545-553, 2009.
- A. Masood, and J. Java, “Static analysis for web service security - Tools & techniques for a secure development life cycle,” in 2015 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1-6, 2015.
- D. A. Wheeler, and S. Khakimov, “Open source software projects needing security investments,” Institute for Defense Analyses, Alexandria, Virginia, 2015.
- A. Aurum, H. Petersson, and C. Wohlin, “State-of-the-art: Software inspections after 25 years,” Software Testing, Verification and Reliability, vol. 12, no. 3, pp. 133-154, September 2002.
- M. Christodorescu, “Static analysis of executables to detect malicious patterns,” 2006.
- A. Moser, C. Kruegel, and E. Kirda, “Limits of static analysis for malware detection,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, pp. 421-430, 2007.
- P. Emanuelsson, and U. Nilsson, “A comparative study of industrial static analysis tools,” Electronic Notes in Theoretical Computer Science, vol. 217, no. C, pp. 5-21, 2008.
- I. Elkhalifa, and B. Ilyas, “Static code analysis: A systematic literature review and an industrial survey,” Blekinge Institute of Technology, Karlskrona, Sweden, 2016.
- V. B. Livshits, and M. S. Lam, “Finding security vulnerabilities in Java applications with static analysis,” 2005.
- B. Chess, and G. McGraw, “Static analysis for security,” IEEE Security and Privacy, vol. 2, no. 6, pp. 76-79, 2004.
- A. Austin, and L. Williams, “One technique is not enough: A comparison of vulnerability discovery techniques,” Proc. 2011 Int. Symp. Empir. Softw. Eng. Meas., pp. 97-106, September 2011.
- J. Park, I. Lim, and S. Ryu, “Battles with false positives in static analysis of JavaScript web applications in the wild,” in Proceedings of the 38th International Conference on Software Engineering Companion (ICSE ’16), pp. 61-70, 2016.
- C. Dimastrogiovanni, and N. Laranjeiro, “Towards understanding the value of false positives in static code analysis,” in 2016 Seventh Latin-American Symposium on Dependable Computing (LADC), pp. 119-122, 2016.
- J. Walden, and M. Doyle, “SAVI: Static-Analysis Vulnerability Indicator,” IEEE Security and Privacy, vol. 10, no. 3, pp. 32-39, May 2012.
- M. Gegick, L. Williams, J. Osborne, and M. Vouk, “Prioritizing software security fortification throughcode-level metrics,” in Proceedings of the 4th ACM Workshop on Quality of Protection (QoP’08), p. 31, 2008.
- Gegick, and M. Charles, “Predicting attack-prone components with source code static analyzers,” 2009.
- J. Zheng, L. Williams, N. Nagappan, W. Snipes, J. P. Hudepohl, and M. A. Vouk, “On the value of static analysis for fault detection in software,” IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 240-253, April 2006.
- N. Ayewah, and W. Pugh, “The Google FindBugs fixit,” in Proceedings of the 19th International Symposium on Software Testing and Analysis (ISSTA’10), 2010.
- F. Rahman, S. Khatri, E. T. Barr, and P. Devanbu, “Comparing static bug finders and statistical prediction,” in Proceedings of the 36th International Conference on Software Engineering (ICSE’14), pp. 424-434, 2014.
- D. Baca, B. Carlsson, K. Petersen, and L. Lundberg, “Improving software security with static automated code analysis in an industry setting,” Software Practice and Experience, vol. 43, no. 3, pp. 259-279, March 2013.
- A. Austin, C. Holmgreen, and L. Williams, “A comparison of the efficiency and effectiveness of vulnerability discovery techniques,” Information and Software Technology, vol. 55, no. 7, pp. 1279-1288, July 2013.
- M. Ivarsson, and T. Gorschek, “A method for evaluating rigor and industrial relevance of technology evaluations,” Empirical Software Engineering, vol. 16, no. 3, pp. 365-395, June 2011.
- M. Andreasen, H. Nielsen, S. Schrøder, and J. Stage, “Usability in open source software development: Opinions and practice,” Information Technology and Control, vol. 35A, no. 3, pp. 303-312, 2006.
- D. A. Wheeler, “Why Open Source Software _ Free Software (OSS_FS, FOSS, or FLOSS) Look at the Numbers!,” 2007.
- N. Ayewah, D. Hovemeyer, J. D. Morgenthaler, J. Penix, and W. Pugh, “Using static analysis to find bugs,” IEEE Software, vol. 25, no. 5, pp. 22-29, 2008.
- B. Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge, “Why don’t software developers use static analysis tools to find bugs?,” Proc. 2013 Int. Conf. Softw. Eng., pp. 672-681, 2013.
- N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Zhou, “Evaluating static analysis defect warnings on production software,” Proc. 7th ACM SIGPLAN-SIGSOFT Work. Progr. Anal. Softw. Tools Eng., pp. 1-8, 2007.
- H. Khalid, M. Nagappan, and A. E. Hassan, “Examining the relationship between findbugs warnings and end user ratings: A case study on 10,000 Android apps,” pp. 1-5, (n.d.).
- A. Al Mamun, A. Khanam, H. Grahn, and R. Feldt, “Comparing four static analysis tools for Java concurrency bugs,” Third Swedish Work. Multi-Core Comput. (MCC’10), 2010.
- N. Rutar, C. B. Almazan, and J. S. Foster, “A comparison of bug finding tools for Java,” 15th Int. Symp. Softw. Reliab. Eng., pp. 245-256, 2004.
- S. Kim and M. D. Ernst, “Which warnings should I fix first?,” in Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC-FSE’07), p. 45, 2007.
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata, “Extended static checking for Java,” Pldi, pp. 234-245, 2002.
- V. B. Livshits, and M. S. Lam, “Finding security vulnerabilities in Java applications with static analysis,” Architecture, p. 18, 2005.
- M. Martin, B. Livshits, and M. S. Lam, “Finding application errors and security flaws using PQL: A Program Query Language,” ACM SIGPLAN Not., vol. 40, no. 10, p. 365, 2005.
- “Eclipse - The Eclipse Foundation open source community website.” [Online]. Available: http://www.eclipse.org/. [Accessed: 25-Mar-2017].
- G. A. Campbell, and P. P. Papapetrou, “Sample Chapter in Action.”
- “Sonar Native Packages download | SourceForge.net.” [Online]. Available: https://sourceforge.net/projects/sonar-pkg/. [Accessed: 25-Mar-2017].
- “PMD: Source Code Analyzer.” [Online]. Available: https://pmd.github.io/. [Accessed: 25-Mar-2017].
- “Lobo Evolution - Java Web Browser.” [Online]. Available: https://github.com/oswetto/Loboevolution. [Accessed: 25-Mar-2017].
- “Lobo - Java Web Browser - Browse /Lobo Browser at SourceForge.net.” [Online]. Available: https://sourceforge.net/projects/xamj/files/Lobo Browser/. [Accessed: 25-Mar-2017].
Abstract Views: 321
PDF Views: 0