Visible to the public Beware of the Vulnerability! How Vulnerable are GitHub's Most Popular PHP Applications?

TitleBeware of the Vulnerability! How Vulnerable are GitHub's Most Popular PHP Applications?
Publication TypeConference Paper
Year of Publication2019
AuthorsIbrahim, Ahmed, El-Ramly, Mohammad, Badr, Amr
Conference Name2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA)
KeywordsComputer bugs, Computers, critical vulnerabilities, Cross Site Scripting, cross-site scripting, CVSS, data integrity, GitHub, Human Behavior, injection vulnerabilities, open source, open source PHP applications, open source project owners, open source projects, Open Source Software, PHP, project popularity, pubcrawl, Resiliency, RIPS, Scalability, scanning, security, software engineering, software project, software security, software vulnerabilities, Software Vulnerability, static analysis, static analysis vulnerability scanner, statistical analysis, Tools, vulnerability detection, vulnerable project, XSS
AbstractThe presence of software vulnerabilities is a serious threat to any software project. Exploiting them can compromise system availability, data integrity, and confidentiality. Unfortunately, many open source projects go for years with undetected ready-to-exploit critical vulnerabilities. In this study, we investigate the presence of software vulnerabilities in open source projects and the factors that influence this presence. We analyzed the top 100 open source PHP applications in GitHub using a static analysis vulnerability scanner to examine how common software vulnerabilities are. We also discussed which vulnerabilities are most present and what factors contribute to their presence. We found that 27% of these projects are insecure, with a median number of 3 vulnerabilities per vulnerable project. We found that the most common type is injection vulnerabilities, which made 58% of all detected vulnerabilities. Out of these, cross-site scripting (XSS) was the most common and made 43.5% of all vulnerabilities found. Statistical analysis revealed that project activities like branching, pulling, and committing have a moderate positive correlation with the number of vulnerabilities in the project. Other factors like project popularity, number of releases, and number of issues had almost no influence on the number of vulnerabilities. We recommend that open source project owners should set secure code development guidelines for their project members and establish secure code reviews as part of the project's development process.
Citation Keyibrahim_beware_2019