Your SlideShare is downloading. ×
Quality of WordPress Plug-Ins: An Overview of Security and User Ratings
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Quality of WordPress Plug-Ins: An Overview of Security and User Ratings

56
views

Published on

Slides from my SocialCom-PASSAT/ 2012 presentation: …

Slides from my SocialCom-PASSAT/ 2012 presentation:
Teemu Koskinen, Petri Ihantola, Ville Karavirta (2012). Quality of WordPress Plug-Ins: An Overview of Security and User Ratings. In: SOCIALCOM-PASSAT ’12: Proceedings of the 2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security, Risk and Trust. Washington, DC, USA: IEEE Computer Society, pp. 834–837. ISBN: 978-0-7695-4848-7.
doi: 10.1109/SocialCom-PASSAT.2012.31

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
56
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Teemu  Koskinen,  Petri  Ihantola,  and  Ville  Karavirta   Aalto  University,  Finland   Quality  Of  WordPress  Plug-­‐Ins:     An  Overview  of  Security  and  User  Ra>ngs  
  • 2. The  Problem   Do  plugin  ra>ngs  predict  the   amount  of  implementa>on   related  vulnerabili>es  in   WordPress  plugins?  
  • 3. Data collection and analysis 1.  Download a set of random plug-ins. 2.  Collect their download statistics and ratings from wordpress.org. 3.  Use the RIPS vulnerability scanner to detect potential vulnerabilities 4.  Compare the the number of potential vulnerabilities and vulnerability densities to the star ratings We also reviewed some potential vulnerabilities to find out if those are real
  • 4. Preliminary   Results   Sample  of  322  plugins   •  total  of  3,792,711  downloads   •  total  of  2,783  user  ra>ngs   •  179,393  lines  of  PHP  code   860  poten>al  security  bugs  were  discovered  from   127  plugins.    
  • 5. Preliminary   Results   60.6%  of  the  plug-­‐ins  were  “clean”   and  most  of  the  others  had  only  few  vulnerabili>es  
  • 6. Preliminary   Results   3,792,711  downloads  and  2,783  ra>ngs   Only  7  ra>ngs/reviews  for  every  100  downloads  
  • 7. Preliminary   Results   Ra>ngs  are  not  good  at  explaining  the  amount  or   density  of  the  vulnerabili>es,   although  there  is  a  weak  nega>ve  correla>on.  
  • 8. Preliminary   Results   Light  manual  review  revealed  real  problems  from     a  popular  (>4k  downloads)  plugin  
  • 9. Conclusions     "Based  on  our  findings,  we  are  confident  that  there   are  real  risks  involved  when  using  third-­‐party  plug-­‐ ins  on  a  WordPress  site.  Many  plug-­‐ins  appeared   not  to  be  vulnerable,  but  as  the  user  ra6ngs  and   download  counts  do  not  assist  in  finding  secure   plug-­‐ins,  proper  inspec6on  should  be  done  by  sta6c   analysis  or  manual  review  before  using  any  plug-­‐in   on  a  WordPress  site.  The  cost  of  soGware   development  and  fast  schedules  in  the  industry  make   installing  plug-­‐ins  an  aHracIve  soluIon,  but  we   hope  our  findings  encourage  developers  to  take  the   6me  to  inspect  the  code  before  using  it."  
  • 10.   h]p://www.flickr.com/photos/simonehudson/6101238497     h]p://www.flickr.com/photos/stria>c/229531275/     h]p://www.flickr.com/photos/23950335@N07/6032357954     h]p://www.flickr.com/photos/kareneliot/2710464400     h]p://www.flickr.com/photos/21572939@N03/2090542246/     Ladybug  photo  ©Kimmo  Roimela  used  with  a  permission   Thank  you!