Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications | SpringerLink
Skip to main content
Springer Nature Link
Log in

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

  • 1269 Accesses

Abstract

While Java and PHP are two of the most popular languages for open source web applications found at freshmeat.net , Java has had a much better security reputation than PHP. In this paper, we examine whether that reputation is deserved. We studied whether the variation in vulnerability density is greater between languages or between different applications written in a single language by comparing eleven open source web applications written in Java with fourteen such applications written in PHP. To compare the languages, we created a Common Vulnerability Metric (CVM), which is the count of four vulnerability types common to both languages. Common Vulnerability Density (CVD) is CVM normalized by code size. We measured CVD for two revisions of each project, one from 2006 and the other from 2008. CVD values were higher for the aggregate PHP code base than the Java code base, but PHP had a better rate of improvement, with a decline from 6.25 to 2.36 vulnerabilities/KLOC compared to 1.15 to 0.63 in Java. These changes arose from an increase in code size in both languages and a decrease in vulnerabilities in PHP. The variation between projects was greater than the variation between languages, ranging from 0.52 to 14.39 for Java and 0.03 to 121.36 in PHP for 2006. We used security and software metrics to examine the sources of difference between projects.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Ayewah, N., Pugh, W.J., Morgenthaler, D., Penix, J.: Zhou. Y.: Evaluating Static Analysis Defect Warnings On Production Software. In: The 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (June 2007)

    Google Scholar 

  2. Christey, S.M., Martin, R.A.: http://www.cve.mitre.org/docs/vuln-trends/index.html (published May 22, 2007)

  3. Coverity, Coverity Scan Open Source Report 2009, http://www.coverity.com/scan/ (September 23, 2009)

  4. Fenton, N.E., Pfleeger, S.L.: Software Metrics: A Rigorous and Practical Approach. Brooks/Cole, Massachusetts (1998)

    Google Scholar 

  5. Fortify Security Research Group and Larry Suto: Open Source Security Study (July 2008), http://www.fortify.com/landing/oss/oss_report.jsp

  6. http://freshmeat.net/ (accessed September 27, 2009)

  7. Li, Z., Tan, L., Wang, X., Lu, S., Zhou, Y., Zhai, C.: Have things changed now?: an empirical study of bug characteristics in modern open source software. In: Proceedings of the 1st workshop on Architectural and system support for improving software dependability, Association of Computing Machinery, New York, pp. 25–33 (2006)

    Google Scholar 

  8. Nagappan, N., Ball, T.: Static analysis tools as early indicators of pre-release defect density. In: Proceedings of the 27th International Conference on Software Engineering, Association of Computing Machinery, New York, pp. 580–586 (2005)

    Google Scholar 

  9. Shiflett, C.: PHP Security Consortium Redux, http://shiflett.org/blog/2005/feb/php-security-consortium-redux

  10. Nagappan, N., Ball, T., Zeller, A.: Mining Metrics to Predict Component Failures. In: Proceedings of the 28th International Conference on Software Engineering, Association of Computing Machinery, New York, pp. 452–461 (2006)

    Google Scholar 

  11. Neuhaus, S., Zimmerman, T.: The Beauty and the Beast: Vulnerabilities in Red Hat’s Packages. In: Proceedings of the 2009 USENIX Annual Technical Conference (USENIX 2009), San Diego, CA, USA (June 2009)

    Google Scholar 

  12. Ozment, A., Schechter, S.E.: Milk or Wine: Does Software Security Improve with Age? In: Proceedings of the 15th USENIX Security Symposium, USENIX Association, California, pp. 93–104 (2006)

    Google Scholar 

  13. Shin, Y., Williams, L.: An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics. In: Proceedings of the 2nd International Symposium on Empirical Software Engineering and Measurement, Association for Computing Machinery, New York, pp. 315–317 (2008)

    Google Scholar 

  14. Shin, Y., Williams, L.: Is Complexity Really the Enemy of Software Security? In: Quality of Protection Workshop at the ACM Conference on Computers and Communications Security (CCS) 2008, Association for Computing Machinery, New York, pp. 47–50 (2008)

    Google Scholar 

  15. Walden, J., Doyle, M., Welch, G., Whelan, M.: Security of Open Source Web Applications. In: Proceedings of the International Workshop on Security Measurements and Metrics. IEEE, Los Alamitos (2009)

    Google Scholar 

  16. Zimmermann, T., Nagappan, N., Gall, H., Giger, E., Murphy, B.: Cross-project Defect Prediction. In: Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2009), Amsterdam, The Netherlands (August 2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Northern Kentucky University, Highland Heights, KY, 41099

    James Walden, Maureen Doyle, Robert Lenhof & John Murray

Authors
  1. James Walden
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maureen Doyle
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Lenhof
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Murray
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA

    Dan Wallach

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Walden, J., Doyle, M., Lenhof, R., Murray, J. (2010). Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11747-3_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11746-6

  • Online ISBN: 978-3-642-11747-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation