Northern Kentucky University
A Comparison of Security in PHP and Java Application Web Servers
Institution
Northern Kentucky University
Faculty Advisor/ Mentor
Maureen Doyle; James Walden
Abstract
There are millions of vulnerable web servers on the web that people connect to every day. In order to protect these people it is in our best interest to identify the safest development choices possible. The popular choices are PHP which is the language used for web-server side programming on over 80% of the world’s websites, while Java tends to see high usage on websites with heavy traffic. As these are some of the most popular choices these are known to be high-profile targets for hackers to find vulnerabilities within. As such, it is desirable to learn which has a better reputation security-wise. When comparing security between servers there are several metrics available for usage, such as: number of vulnerabilities present, severity of the vulnerabilities, update rates for the server and frequency at which security patches are released. Thus through mining Internet-sale network port scan data, we were able to retrieve real world instances of these servers throughout the IPv4 space and used them to make these comparisons. Specifically our comparisons examine the rare PHP /3 to the thriving PHP /5 and Java based WebSphere, WebLogic, Jetty, Apache Tomcat, Apache Coyote, Resin, and GlassFish. Some of our findings show the difference between comparing the frameworks by what is released and what is in use in reality. For example despite the periodic patching offered by PHP, we see that millions of server owners will leave their machines running without being updated; this behavior is highly dangerous to the goal of having a secure internet.
A Comparison of Security in PHP and Java Application Web Servers
There are millions of vulnerable web servers on the web that people connect to every day. In order to protect these people it is in our best interest to identify the safest development choices possible. The popular choices are PHP which is the language used for web-server side programming on over 80% of the world’s websites, while Java tends to see high usage on websites with heavy traffic. As these are some of the most popular choices these are known to be high-profile targets for hackers to find vulnerabilities within. As such, it is desirable to learn which has a better reputation security-wise. When comparing security between servers there are several metrics available for usage, such as: number of vulnerabilities present, severity of the vulnerabilities, update rates for the server and frequency at which security patches are released. Thus through mining Internet-sale network port scan data, we were able to retrieve real world instances of these servers throughout the IPv4 space and used them to make these comparisons. Specifically our comparisons examine the rare PHP /3 to the thriving PHP /5 and Java based WebSphere, WebLogic, Jetty, Apache Tomcat, Apache Coyote, Resin, and GlassFish. Some of our findings show the difference between comparing the frameworks by what is released and what is in use in reality. For example despite the periodic patching offered by PHP, we see that millions of server owners will leave their machines running without being updated; this behavior is highly dangerous to the goal of having a secure internet.