期刊名称:International Journal of Security and Its Applications
印刷版ISSN:1738-9976
出版年度:2015
卷号:9
期号:10
页码:231-240
DOI:10.14257/ijsia.2015.9.10.21
出版社:SERSC
摘要:Web application security is an important problem in today's Internet. A major cause of this is that many developers are not equipped with the right skills to develop secure code. Because of limited time and resources, web engineers need help in recognizing vulnerable components. A useful approach to predict vulnerable code would allow them to prioritize security-auditing efforts. In this work, we compare the performance of different classification techniques in predicting vulnerable PHP files and propose an application of these classification rules. We performed empirical case studies on three large open source web-projects. Software metrics are investigated whether they are discriminative and predictive of vulnerable code, and can guide actions for improvement of code and development team and can prioritize validation and verification efforts. The results indicate that the metrics are discriminative and predictive of vulnerabilities
