Enabling static security vulnerability analysis in PHP applications for novice developers with SSVChecker

Abstract

Web-based systems pervade our society, supporting business-critical applications frequently requesting/storing customer's personal information, necessitating increasingly higher levels of information assurance. Novice web programmers, with little or no secure programming skills, unknowingly develop web applications ripe with security vulnerabilities, thus compromising the integrity of the application. As a result, a number of static analysis security tools have been developed to flag potential security vulnerabilities. Yet, these tools are difficult to use, divorced from the software integrated development environments (IDE) and remain unknown to novice developers. This paper contributes an Eclipse plugin that enables static analysis of PHP source code using existing tools directly within a common IDE to enable novice developers to build more secure web applications. We make two claims for the extension of SSVChecker. First, it seamlessly embeds into a common IDE making it easy/familiar to use for novice developers. Second, it provides functionality leveraging multiple tools to reduce reported false positives and better focus novice developers on potential security vulnerabilities. To demonstrate these claims, we use SSVChecker on a popular, open source, PHP-based web application with known security vulnerabilities.