How PHP Releases Are Adopted in the Wild?

2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP)

2018

Self Cite

This paper examines software vulnerabilities in common Python packages used particularly for web development. The empirical dataset is based on the PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository. The methodological approach builds on a release-based time series analysis of the conditional probabilities for the releases of the packages to be vulnerable. According to the results, many of the Python vulnerabilities observed seem to be only modestly severe; input validation and cross-site scripting have been the most typical vulnerabilities. In terms of the time series analysis based on the release histories, only the recent past is observed to be relevant for statistical predictions; the classical Markov property holds.

Section: Discussionmentioning

confidence: 99%

Section: B Releasesmentioning

confidence: 99%

An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP)

2018

Self Cite

“…The empirical sample is based on the Alexa's top-million busiest domains [4]. Although some skepticism is warranted about the representativeness of the list particularly in the DNS context [37], the list is commonly used as a benchmark in large-scale empirical studies exploring TLS/PKI [35,36], among other Internet measurement topics [10,30]. Because the paper's focus is restricted to DNS, a simple client-side DNS resolver [29] was used to query for CAA resource records of each domain in the Alexa's popularity list using Google's name server at 8.8.8.8.…”

Section: Datamentioning

confidence: 99%

An empirical survey on the early adoption of DNS certification authority authorization

Journal of Cyber Security Technology

2019

Self Cite

A new certification authority authorization (CAA) resource record for the domain name system (DNS) was standardized in 2013. Motivated by the later 2017 decision to enforce mandatory CAA checking for most certificate authorities, this paper surveys the early adoption of CAA by using an empirical sample collected from the Alexa's top-million domains. According to the results, (i) the adoption of CAA is still at a modest level; only a little below two percent of the popular domains sampled have adopted CAA. Among the domains that have adopted CAA, (ii) authorizations dealing with wildcard certificates are rare compared to conventional certificates. Interestingly, (iii) the results only partially reflect the market structure of the global certificate business. With these timely results, the paper contributes to the ongoing large-scale empirical research on the use of encryption technologies.

“…By no means is WordPress alone making these headlines, however. Many websites use outdated and deprecated releases of the PHP language [25,26], for instance. All this said, in recent years particularly the management of security issues has greatly improved in the WordPress ecosystem [2].…”

Section: Introductionmentioning

confidence: 99%

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Proceedings of the Evaluation and Assessment on Software Engineering

2019

Self Cite

WordPress has long been the most popular content management system (CMS). This CMS powers millions and millions of websites. Although WordPress has had a particularly bad track record in terms of security, in recent years many of the well-known security risks have transmuted from the core WordPress to the numerous plugins and themes written for the CMS. Given this background, the paper analyzes known software vulnerabilities discovered from WordPress plugins. A demand-side viewpoint was used to motivate the analysis; the basic hypothesis is that plugins with large installation bases have been affected by multiple vulnerabilities. As the hypothesis also holds according to the empirical results, the paper contributes to the recent discussion about common security folklore. A few general insights are also provided about the relation between software vulnerabilities and software maintenance. CCS CONCEPTS• Security and privacy → Web application security;