{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T13:01:27Z","timestamp":1774443687588,"version":"3.50.1"},"reference-count":37,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2018,9,25]],"date-time":"2018-09-25T00:00:00Z","timestamp":1537833600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Computing"],"published-print":{"date-parts":[[2019,2]]},"DOI":"10.1007\/s00607-018-0664-z","type":"journal-article","created":{"date-parts":[[2018,9,25]],"date-time":"2018-09-25T10:19:30Z","timestamp":1537870770000},"page":"161-185","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":23,"title":["An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios"],"prefix":"10.1007","volume":"101","author":[{"given":"Paulo","family":"Nunes","sequence":"first","affiliation":[]},{"given":"Ib\u00e9ria","family":"Medeiros","sequence":"additional","affiliation":[]},{"given":"Jos\u00e9","family":"Fonseca","sequence":"additional","affiliation":[]},{"given":"Nuno","family":"Neves","sequence":"additional","affiliation":[]},{"given":"Miguel","family":"Correia","sequence":"additional","affiliation":[]},{"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,9,25]]},"reference":[{"key":"664_CR1","unstructured":"https:\/\/freeformdynamics.com\/wp-content\/uploads\/legacy-pdfs\/pdf\/insidetrack\/2017\/17-03-Managing_Application_Security_Risk.pdf\n \n . Accessed 17 Mar 2017"},{"key":"664_CR2","unstructured":"https:\/\/www.owasp.org\/index.php\/Top_10_2017-Top_10\n \n . Accessed 20 Mar 2017"},{"key":"664_CR3","unstructured":"https:\/\/media.blackhat.com\/bh-us-11\/Willis\/BH_US_11_WillisBritton_Analyzing_Static_Analysis_Tools_WP.pdf\n \n (2011). Accessed 6 Apr 2017"},{"key":"664_CR4","unstructured":"WPScan Vulnerability Database. \n https:\/\/wpvulndb.com\/\n \n . Accessed 26 Oct 2015"},{"key":"664_CR5","unstructured":"Website hacked trend report 2016-Q1 (2016) \n https:\/\/sucuri.net\/website-security\/Reports\/Sucuri-Website-Hacked-Report-2016Q1.pdf\n \n . Accessed 6 Apr 2017"},{"key":"664_CR6","unstructured":"Wordpress plugin directory. \n https:\/\/wordpress.org\/plugins\/\n \n . Accessed 29 Dec 2016"},{"key":"664_CR7","unstructured":"NIST SARD Project. \n http:\/\/samate.nist.gov\/SRD\n \n . Accessed 23 Feb 2017"},{"key":"664_CR8","unstructured":"https:\/\/colorlib.com\/wp\/is-wordpress-websites-secure\/\n \n . Accessed 09 March 2017"},{"key":"664_CR9","unstructured":"https:\/\/w3techs.com\/technologies\n \n . Accessed March 2018"},{"key":"664_CR10","doi-asserted-by":"crossref","unstructured":"Antunes N, Vieira M (2015) On the metrics for benchmarking vulnerability detection tools. In: 2015 45th Annual IEEE\/IFIP international conference on dependable systems and networks, pp 505\u2013516","DOI":"10.1109\/DSN.2015.30"},{"key":"664_CR11","doi-asserted-by":"publisher","unstructured":"Backes M, Rieck K, Skoruppa M, Stock B, Yamaguchi F (2017) Efficient and flexible discovery of PHP application vulnerabilities. In: 2017 IEEE european symposium on security and privacy (EuroS&P), pp 334\u2013349. IEEE. \n https:\/\/doi.org\/10.1109\/EuroSP.2017.14\n \n . \n http:\/\/ieeexplore.ieee.org\/document\/7961989\/","DOI":"10.1109\/EuroSP.2017.14"},{"issue":"2","key":"664_CR12","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/s11219-011-9144-9","volume":"20","author":"R Baggen","year":"2012","unstructured":"Baggen R, Correia JP, Schill K, Visser J (2012) Standardized code quality benchmarking for improving software maintainability. Softw Qual J 20(2):287\u2013307","journal-title":"Softw Qual J"},{"key":"664_CR13","doi-asserted-by":"crossref","unstructured":"Beller M, Bholanath R, McIntosh S, Zaidman A (2016) Analyzing the state of static analysis: a large-scale evaluation in open source software. In: 2016 IEEE 23rd international conference on software analysis, evolution, and reengineering, vol\u00a01, pp 470\u2013481","DOI":"10.1109\/SANER.2016.105"},{"key":"664_CR14","doi-asserted-by":"crossref","unstructured":"Dahse J, Holz T (2014) Simulation of built-in PHP features for precise static code analysis. In: Proceedings 2014 network and distributed system security symposium. Internet Society, Reston, VA","DOI":"10.14722\/ndss.2014.23262"},{"issue":"8","key":"664_CR15","doi-asserted-by":"publisher","first-page":"1462","DOI":"10.1016\/j.infsof.2013.02.005","volume":"55","author":"G D\u00edaz","year":"2013","unstructured":"D\u00edaz G, Bermejo JR (2013) Static analysis of source code security: assessment of tools against SAMATE tests. Inf Softw Technol 55(8):1462\u20131476","journal-title":"Inf Softw Technol"},{"key":"664_CR16","unstructured":"Forbes: will the demand for developers continue to increase? \n https:\/\/forbes.com\/sites\/quora\/2017\/01\/20\/will-the-demand-for-developers-continue-to-increase\/#7e502b681c3f\n \n . Accessed 15 May 2017"},{"key":"664_CR17","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1016\/j.infsof.2015.08.002","volume":"68","author":"K Goseva-Popstojanova","year":"2015","unstructured":"Goseva-Popstojanova K, Perhinschi A (2015) On the capability of static code analysis to detect security vulnerabilities. Inf Softw Technol 68:18\u201333","journal-title":"Inf Softw Technol"},{"key":"#cr-split#-664_CR18.1","unstructured":"Hauzar D, Kofron J (2015) Framework for Static Analysis of PHP Applications. In: Boyland JT"},{"key":"#cr-split#-664_CR18.2","unstructured":"(ed) 29th European conference on object-oriented programming (ECOOP 2015), Leibniz international proceedings in informatics (LIPIcs), vol 37, pp 689-711. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany"},{"key":"664_CR19","unstructured":"Imperva: Imperva web application attack report (WAAR). \n http:\/\/www.imperva.com\/download.asp?id=509\n \n (2015). Accessed 22 May 2017"},{"key":"664_CR20","unstructured":"Institute P (2015) Annual consumer studies. \n http:\/\/www.ponemon.org\/\n \n . Accessed 22 May 2017"},{"key":"664_CR21","unstructured":"Johnson B, Song Y, Murphy-Hill E, Bowdidge R (2013) Why don\u2019t software developers use static analysis tools to find bugs? In: 35th International conference on software engineering. IEEE, pp 672\u2013681"},{"key":"664_CR22","doi-asserted-by":"crossref","unstructured":"Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE symposium on security and privacy, pp 6\u2013263","DOI":"10.1109\/SP.2006.29"},{"issue":"4","key":"664_CR23","doi-asserted-by":"publisher","first-page":"323","DOI":"10.1145\/161494.161501","volume":"1","author":"W Landi","year":"1992","unstructured":"Landi W (1992) Undecidability of static analysis. ACM Lett Program Lang Syst 1(4):323\u2013337","journal-title":"ACM Lett Program Lang Syst"},{"key":"664_CR24","unstructured":"Livshits VB, Lam MS (2005) Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th conference on USENIX security symposium, vol 14, SSYM\u201905. USENIX Association, Berkeley, CA, USA, pp 18\u201318"},{"key":"664_CR25","unstructured":"Meade FG. \n https:\/\/samate.nist.gov\/docs\/CAS%202012%20Static%20Analysis%20Tool%20Study%20Methodology.pdf\n \n . Accessed 5 May 2017"},{"key":"664_CR26","doi-asserted-by":"crossref","unstructured":"Medeiros I, Neves NF, Correia M (2014) Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd international conference on world wide web, WWW \u201914. ACM, NY, USA, pp 63\u201374","DOI":"10.1145\/2566486.2568024"},{"key":"664_CR27","doi-asserted-by":"crossref","unstructured":"Meng N, Wang Q, Wu Q, Mei H (2008) An approach to merge results of multiple static analysis tools (short paper). In: 2008 The eighth international conference on quality software, pp 169\u2013174","DOI":"10.1109\/QSIC.2008.30"},{"key":"664_CR28","unstructured":"NIST: Software assurance metrics and tool evaluation. \n http:\/\/samate.nist.gov\/\n \n . Accessed 28 Nov 2016"},{"key":"664_CR29","unstructured":"Nunes P. \n https:\/\/github.com\/pjcnunes\/Computing2018\n \n . Accessed 15 July 2018"},{"key":"664_CR30","doi-asserted-by":"crossref","unstructured":"Nunes P, Fonseca J, Vieira M (2015) phpSAFE: a security analysis tool for OOP web application plugins. In: 45th Annual IEEE\/IFIP international conference on dependable systems and networks, DSN 2015, Rio de Janeiro, Brazil, June 22\u201325, 2015, pp 299\u2013306","DOI":"10.1109\/DSN.2015.16"},{"key":"664_CR31","doi-asserted-by":"crossref","unstructured":"Nunes P, Medeiros I, Fonseca J, Neves N, Correia M, Vieira M (2017) On combining diverse static analysis tools for web security: an empirical study. In: 2017 13th European dependable computing conference (EDCC), pp 121\u2013128","DOI":"10.1109\/EDCC.2017.16"},{"key":"664_CR32","unstructured":"Pichler M. PHP depend. \n https:\/\/pdepend.org\/\n \n . Accessed 03 Nov 2016"},{"key":"664_CR33","doi-asserted-by":"crossref","unstructured":"Rutar N, Almazan CB, Foster JS (2004) A comparison of bug finding tools for java. In: Proceedings of the 15th international symposium on software reliability engineering, ISSRE \u201904. IEEE Computer Society, Washington, DC, USA, pp 245\u2013256","DOI":"10.1109\/ISSRE.2004.1"},{"key":"664_CR34","doi-asserted-by":"crossref","unstructured":"Stivalet B, Fong E (2016) Large scale generation of complex and faulty PHP test cases. In: 2016 IEEE International conference on software testing, verification and validation (ICST), pp 409\u2013415","DOI":"10.1109\/ICST.2016.43"},{"key":"664_CR35","unstructured":"Vogt P, Nentwich F, Jovanovic N, Kirda E, Kruegel C, Vigna G (2007) Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS, vol 2007, p\u00a012"},{"key":"664_CR36","doi-asserted-by":"crossref","unstructured":"Wang Q, Meng N, Zhou Z, Li J, Mei H (2008) Towards SOA-based code defect analysis. In: IEEE international symposium on service-oriented system engineering, 2008. SOSE \u201908, pp 269\u2013274","DOI":"10.1109\/SOSE.2008.47"}],"container-title":["Computing"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00607-018-0664-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-018-0664-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-018-0664-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,9,25]],"date-time":"2019-09-25T07:44:27Z","timestamp":1569397467000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00607-018-0664-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,9,25]]},"references-count":37,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2019,2]]}},"alternative-id":["664"],"URL":"https:\/\/doi.org\/10.1007\/s00607-018-0664-z","relation":{},"ISSN":["0010-485X","1436-5057"],"issn-type":[{"value":"0010-485X","type":"print"},{"value":"1436-5057","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,9,25]]},"assertion":[{"value":"30 September 2017","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 September 2018","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 September 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}