OWASP Top 10 testability patterns for PHP - Githubissues

testable-eu / sast-testability-patterns

Testability Pattern Catalogs for SAST

https://owasp.org/www-project-testability-patterns-for-web-applications/

Apache License 2.0

29 stars 2 forks source link

OWASP Top 10 testability patterns for PHP #23

Open compaluca opened 1 year ago

compaluca commented 1 year ago

Extract the 10 testability patterns for PHP that are more impactful for SAST tools.

we can start with the results from the NDSS paper
if possible re-measure SAST tools against the reviewed PHP patterns

compaluca commented 1 year ago

The idea is to identify the most impactful patterns. In this respect two dimensions could be used:

SAST measurement: the more a pattern is difficult for SAST, the more it impacts the SAST analysis
Pattern prevalence: the more a pattern is used in the real world, the more it impacts the SAST analysis

Pattern review

[ ] ensure all patterns have been reviewed

Dataset

[ ] rebuild the initial dataset of PHP apps: https://github.com/enferas/TestabilityTarpits/tree/main/PHP/ListOfProjects
[ ] filtering: maybe not all the projects in the dataset are worth the analysis e.g., exclude those projects that do not have any sources/sinks

Discovery of testability patterns

[ ] discovery: run the framework on the dataset (scripting)
[ ] inspect results and compute Pattern discovery score

Measurement of SAST tools

[ ] repeat measurements on current versions of SAST tools (open source and commercials)
[ ] inspect results and compute SAST measurement score