JOURNAL BROWSE
Search
Advanced SearchSearch Tips
Vulnerability Analysis and Development of Secure Coding Rules for PHP
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
 Title & Authors
Vulnerability Analysis and Development of Secure Coding Rules for PHP
Han, KyungSook; Park, Wooyeol; Yang, Ilgwon; Son, Changhwan; Pyo, Changwoo;
 
 Abstract
This paper shows secure coding rules for PHP programs. Programmers should comply with these rules during development of their programs. The rules are crafted to restrain 28 weaknesses that are composed of 22 corresponding to reported CVEs of PHP, the children of CWE-661 for PHP, and the top 5 weaknesses according to OWASP. The rule set consists of 28 detailed rules under 14 categories. This paper also demonstrates through examples that programs complying with these rules can curb weaknesses. The rules can also serve as a guideline in developing analysis tools for security purposes.
 Keywords
secure coding;weakness;vulnerability;coding rule;PHP;
 Language
Korean
 Cited by
 References
1.
Tassey, Gregory, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project, 7007.011, 2002.

2.
Ministry of Public Administration and Security, "Guideline for Development and Operation of Information Systems," Ministry of Public Administration and Security, 2012. 6. (in Korean)

3.
Usage statistics and market share of PHP for websites, [Online]. Available: http://w3techs.com/technologies/details/pl-php/all/all, (Downloaded 2014, Nov. 5)

4.
"Common Vulnerabilities and Exposures," [Online]. Available: http://cve.mitre.org/

5.
"Common Weakness Enumeration," [Online]. Available: http://cwe.mitre.org/

6.
"National Vulnerability Database," [Online]. Available: http://cwe.mitre.org/

7.
B. Chess and J. West, "Secure Programming with Static Analysis," Addison-Wesley, 2007.

8.
K.Han, et al., "An Improvement of the Guideline of Secure Software Development for Korea E-Government," KIISC, 22.5: pp. 1179-1189, 2012. (in Korean)

9.
Ministry of Public Administration and Security, Korea Internet & Security Agency, "Guide for Security in Software Development," 2012. 9 (in Korean)

10.
CERT, "CERT Coding Standard," [Online]. Available: https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standard, (Downloaded 2014, Nov.)

11.
LERDORF, Rasmus; TATROE, Kevin; MACIN-MACINTYRE, Peter, "Programming PHP," O'Reilly Media, Inc, 2006.

12.
PHP.net, PHP Manual - Appendices, [Online]. Available: http://php.net/manual/en/appendices.php, (Downloaded 2014, Nov. 5)

13.
OWASP, PHP Top 5, [Online]. Available: https://www.owasp. org/index.php/PHP_Top_5