A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features

• URL: http://arxiv.org/abs/2409.07669v1
• Date: Thu, 12 Sep 2024 00:15:03 GMT
• Title: A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features
• Authors: Jessy Ayala, Yu-Jye Tung, Joshua Garcia,
• Abstract summary: This paper investigates the perspectives of OSS maintainers on vulnerability management and platform security features. We find that supply chain mistrust and lack of automation for vulnerability management are the most challenging. barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary.
• Score: 6.814841205623832
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In open-source software (OSS), software vulnerabilities have significantly increased. Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied. In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database. We explore this area by conducting two studies: identifying aspects through a listing survey ($n_1=80$) and gathering insights from semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find that supply chain mistrust and lack of automation for vulnerability management are the most challenging, and barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary. Surprisingly, we find that despite being previously vulnerable, some maintainers still allow public vulnerability reporting, or ignore reports altogether. Based on our findings, we discuss implications for OSS platforms and how the research community can better support OSS vulnerability management efforts.

Related papers

• On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub [1.7174932174564534]
  Open-source projects are essential to software development, but publicly disclosing vulnerabilities without fixes increases the risk of exploitation. The Open Source Security Foundation (OpenSSF) addresses this issue by promoting robust security policies to enhance project security. Current research reveals that many projects perform poorly on OpenSSF criteria, indicating a need for stronger security practices.
  arXiv  Detail & Related papers  (2025-02-11T09:23:24Z)
• Investigating Vulnerability Disclosures in Open-Source Software Using Bug Bounty Reports and Security Advisories [6.814841205623832]
  We conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports.
  arXiv  Detail & Related papers  (2025-01-29T16:36:41Z)
• PASTA-4-PHT: A Pipeline for Automated Security and Technical Audits for the Personal Health Train [34.203290179252555]
  This work discusses a PHT-aligned security and audit pipeline inspired by DevSecOps principles. We introduce vulnerabilities into a PHT and apply our pipeline to five real-world PHTs, which have been utilised in real-world studies. Ultimately, our work contributes to an increased security and overall transparency of data processing activities within the PHT framework.
  arXiv  Detail & Related papers  (2024-12-02T08:43:40Z)
• Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
  Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
  arXiv  Detail & Related papers  (2024-11-12T01:55:51Z)
• Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
  This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects. We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks. Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
  arXiv  Detail & Related papers  (2024-08-26T13:46:48Z)
• On Security Weaknesses and Vulnerabilities in Deep Learning Systems [32.14068820256729]
  We specifically look into deep learning (DL) framework and perform the first systematic study of vulnerabilities in DL systems. We propose a two-stream data analysis framework to explore vulnerability patterns from various databases. We conducted a large-scale empirical study of 3,049 DL vulnerabilities to better understand the patterns of vulnerability and the challenges in fixing them.
  arXiv  Detail & Related papers  (2024-06-12T23:04:13Z)
• Profile of Vulnerability Remediations in Dependencies Using Graph Analysis [40.35284812745255]
  This research introduces graph analysis methods and a modified Graph Attention Convolutional Neural Network (GAT) model. We analyze control flow graphs to profile breaking changes in applications occurring from dependency upgrades intended to remediate vulnerabilities. Results demonstrate the effectiveness of the enhanced GAT model in offering nuanced insights into the relational dynamics of code vulnerabilities.
  arXiv  Detail & Related papers  (2024-03-08T02:01:47Z)
• REEF: A Framework for Collecting Real-World Vulnerabilities and Fixes [40.401211102969356]
  We propose an automated collecting framework REEF to collect REal-world vulnErabilities and Fixes from open-source repositories. We develop a multi-language crawler to collect vulnerabilities and their fixes, and design metrics to filter for high-quality vulnerability-fix pairs. Through extensive experiments, we demonstrate that our approach can collect high-quality vulnerability-fix pairs and generate strong explanations.
  arXiv  Detail & Related papers  (2023-09-15T02:50:08Z)
• Tracking Patches for Open Source Software Vulnerabilities [9.047724746724953]
  Open source software (OSS) vulnerabilities threaten the security of software systems that use OSS. There arises a growing concern about the information quality of vulnerability databases.
  arXiv  Detail & Related papers  (2021-12-04T04:39:24Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.