The Popularity Hypothesis in Software Security: A Large-Scale Replication with PHP Packages

TL;DR

This study replicates previous research on the relationship between software popularity and security vulnerabilities, analyzing nearly 400,000 PHP packages to confirm that more popular packages tend to have more reported vulnerabilities.

Contribution

It provides large-scale empirical evidence supporting the hypothesis that popular PHP packages are more likely to have security vulnerabilities, enhancing the understanding of security dynamics in open source software.

Findings

Popular PHP packages have more reported vulnerabilities.

The hypothesis that popularity correlates with insecurity is supported.

Large-scale analysis confirms previous smaller studies.

Abstract

There has been a long-standing hypothesis that a software's popularity is related to its security or insecurity in both research and popular discourse. There are also a few empirical studies that have examined the hypothesis, either explicitly or implicitly. The present work continues with and contributes to this research with a replication-motivated large-scale analysis of software written in the PHP programming language. The dataset examined contains nearly four hundred thousand open source software packages written in PHP. According to the results based on reported security vulnerabilities, the hypothesis does holds; packages having been affected by vulnerabilities over their release histories are generally more popular than packages without having been affected by a single vulnerability. With this replication results, the paper contributes to the efforts to strengthen the empirical knowledge base in cyber and software security.