2013 Poster Sessions : Vulnerability Factors in New Web Applications: Audit Tools, Developer Selection & Languages

Student Name : Jason Bau, Patrick Mutchler
Advisor : John Mitchell
Research Areas: Computer Systems
We develop a web application vulnerability metric based on the combined reports of 4 leading commercial black box vulnerability scanners and evaluate this metric using historical benchmarks and our new sample of applications. We then use this metric to examine the impact of three factors on web application security: provenance (developed by startup company or freelancers), developer security knowledge, and programming language. Our study evaluates 27 web applications developed by programmers from 19 Silicon Valley startups and 8 outsourcing freelancers using 5 programming languages. We correlate the expected vulnerability rate of a Web application with whether it is developed by startup company or freelancers, the extent of developer security knowledge (assessed by a simple quiz), and the programming language used. We provide statistical confidence measures and find several results with statistical significance. For example, applications written in PHP are more prone to severe vulnerabilities, especially injection, and applications developed by freelancers tend to have more injection vulnerabilities. Our summary results provide guidance to developers that we believe may improve the security of future web applications.

Jason Bau is a Ph.D. student in the Electrical Engineering department of Stanford University, working as a research assistant in the Computer Security Lab. His research interests include network protocol security as well as web-application security.