Databases Reference
In-Depth Information
Benchmark DLLs DLLsize LOC
(kilobytes)
Alias Management Tool
3
65
10,812
Chat Application
3
543
6,783
Bicycle Club App
3
62
14,529
Software Catalog
15
118
11,941
Sporting Field Management Tool
3
290
15,803
Commitment Management Tool
7
369
25,602
New Hire Tool
11
565
5,595
Expense Report Approval Tool
4
421
78,914
Relationship Management
5
3,345
1,810,585
Customer Support Portal
14
2,447
66,385
FIGU
RE 11.11: Benchmark application
sizes.
TypeCountRevisions
Sources 27
16
Sinks 77
8
Sanitizers 7
2
FIGURE 11.12: Statistics for the out-of-the box specification that comes
withCat.Net.
11.6.1 Experimental Setup
Figure 11.11 summarizes information about our benchmarks. As we dis-
covered, not all code contained within the application source tree is actually
deployed to the Web server. Most of the time, the number and size of deployed
DLLs primarily consisting of .NET bytecode are a good measure of the ap-
plication size, as shown in columns 2{3. Note that in several cases, libraries
supplied in the form of DLLs without the source code constitute the biggest
part of an application. Finally, to provide another measure of the application
size, column 4 shows the traditional line-of-code metric for all the code within
the application.
To put our results on specification discovery in perspective, Figure 11.12
provides information about the out-of-the box specification forCat.Net, the
static analysis tool that we used for our experiments [21]. The second col-
umn shows the number of specifications for each specification type. The last
column shows the number of revisions each portion of the specification has
gone through, as extracted from the code revision repository. We have man-
ually examined the revisions to only count substantial ones (i.e., just adding
comments or changing whitespace was disregarded). It is clear from the table
that even arriving at the default specification forCat.Net, as incomplete as
it is, took a pretty significant number of source revisions. We found that most
commonly revised specifications correspond to most commonly found vulner-
abilities. In particular, specifications for SQL injection and cross-site scripting
attacks have been revised by far the most. Moreover, after all these revisions,
Search WWH ::
Custom Search