Quality of WordPress Plug-Ins: An Overview of Security and User Ratings
•
0 gefällt mir•339 views
Slides from my SocialCom-PASSAT/ 2012 presentation: Teemu Koskinen, Petri Ihantola, Ville Karavirta (2012). Quality of WordPress Plug-Ins: An Overview of Security and User Ratings. In: SOCIALCOM-PASSAT ’12: Proceedings of the 2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security, Risk and Trust. Washington, DC, USA: IEEE Computer Society, pp. 834–837. ISBN: 978-0-7695-4848-7. doi: 10.1109/SocialCom-PASSAT.2012.31
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Empfohlen
Empfohlen (20)
Quality of WordPress Plug-Ins: An Overview of Security and User Ratings
- 1. Teemu Koskinen, Petri Ihantola, and Ville Karavirta Aalto University, Finland Quality Of WordPress Plug-‐Ins: An Overview of Security and User Ra>ngs
- 2. The Problem Do plugin ra>ngs predict the amount of implementa>on related vulnerabili>es in WordPress plugins?
- 3. Data collection and analysis 1. Download a set of random plug-ins. 2. Collect their download statistics and ratings from wordpress.org. 3. Use the RIPS vulnerability scanner to detect potential vulnerabilities 4. Compare the the number of potential vulnerabilities and vulnerability densities to the star ratings We also reviewed some potential vulnerabilities to find out if those are real
- 4. Preliminary Results Sample of 322 plugins • total of 3,792,711 downloads • total of 2,783 user ra>ngs • 179,393 lines of PHP code 860 poten>al security bugs were discovered from 127 plugins.
- 5. Preliminary Results 60.6% of the plug-‐ins were “clean” and most of the others had only few vulnerabili>es
- 6. Preliminary Results 3,792,711 downloads and 2,783 ra>ngs Only 7 ra>ngs/reviews for every 100 downloads
- 7. Preliminary Results Ra>ngs are not good at explaining the amount or density of the vulnerabili>es, although there is a weak nega>ve correla>on.
- 8. Preliminary Results Light manual review revealed real problems from a popular (>4k downloads) plugin
- 9. Conclusions "Based on our findings, we are confident that there are real risks involved when using third-‐party plug-‐ ins on a WordPress site. Many plug-‐ins appeared not to be vulnerable, but as the user ra6ngs and download counts do not assist in finding secure plug-‐ins, proper inspec6on should be done by sta6c analysis or manual review before using any plug-‐in on a WordPress site. The cost of soGware development and fast schedules in the industry make installing plug-‐ins an aHracIve soluIon, but we hope our findings encourage developers to take the 6me to inspect the code before using it."
- 11. h]p://www.flickr.com/photos/simonehudson/6101238497 h]p://www.flickr.com/photos/stria>c/229531275/ h]p://www.flickr.com/photos/23950335@N07/6032357954 h]p://www.flickr.com/photos/kareneliot/2710464400 h]p://www.flickr.com/photos/21572939@N03/2090542246/ Ladybug photo ©Kimmo Roimela used with a permission Thank you!