The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies
- URL: http://arxiv.org/abs/2404.11763v1
- Date: Wed, 17 Apr 2024 21:44:38 GMT
- Title: The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies
- Authors: Cadence Patrick, Kimberly Ruth, Zakir Durumeric,
- Abstract summary: Open-source software (OSS) supply chain security has become a topic of concern for organizations.
Patching an OSS vulnerability can require updating other dependent software products in addition to the original package.
We do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed.
- Score: 3.6840775431698893
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.
Related papers
- Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - Open Source Software (OSS) Transparency for DoD Acquisition [0.0]
Caveat emptor, or let the buyer beware, is commonly attributed to open source software (OSS)
We observe challenges for the OSS consumer to obtain information about the process(es), project(s) used to produce a product and the protection(s) employed by those projects.
arXiv Detail & Related papers (2024-04-25T16:47:34Z) - OSS Malicious Package Analysis in the Wild [17.028240712650486]
This paper builds and curates the largest dataset of 23,425 malicious packages from scattered online sources.
We then propose a knowledge graph to represent the OSS malware corpus and conduct malicious package analysis in the wild.
arXiv Detail & Related papers (2024-04-07T15:25:13Z) - Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%.
This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
arXiv Detail & Related papers (2023-11-20T12:44:37Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - Towards Measuring Vulnerabilities and Exposures in Open-Source Packages [0.0]
We provide an up-to-date overview of the open source landscape.
We discuss approaches to map entries of the Common Vulnerabilities and Exposures ( CVE) list to open-source libraries.
We show the frequency and distribution of existing CVE entries with respect to popular programming languages.
arXiv Detail & Related papers (2022-06-29T10:51:23Z) - Tracking Patches for Open Source Software Vulnerabilities [9.047724746724953]
Open source software (OSS) vulnerabilities threaten the security of software systems that use OSS.
There arises a growing concern about the information quality of vulnerability databases.
arXiv Detail & Related papers (2021-12-04T04:39:24Z) - Will bots take over the supply chain? Revisiting Agent-based supply
chain automation [71.77396882936951]
Agent-based supply chains have been proposed since early 2000; industrial uptake has been lagging.
We find that agent-based technology has matured, and other supporting technologies that are penetrating supply chains are filling in gaps.
For example, the ubiquity of IoT technology helps agents "sense" the state of affairs in a supply chain and opens up new possibilities for automation.
arXiv Detail & Related papers (2021-09-03T18:44:26Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.