Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects

Janislley Oliveira de Sousa, Bruno Carvalho de Farias, Eddie Batista de Lima Filho, Lucas Carvalho Cordeiro

TL;DR

It is suggested that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.

Abstract

This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation. Through analysis of OSS projects, we have identified common issues in outdated or unmaintained dependencies, including pointer dereferences and array bounds violations, that pose significant security risks. We have also examined developer responses to formal verifier reports, noting a tendency to dismiss potential issues as false positives, which can lead to overlooked vulnerabilities. Our results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape. Notably, four vulnerabilities were fixed as a result of this study, demonstrating the effectiveness of our mitigation strategies.

Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects

TL;DR

It is suggested that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.

Abstract

This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation. Through analysis of OSS projects, we have identified common issues in outdated or unmaintained dependencies, including pointer dereferences and array bounds violations, that pose significant security risks. We have also examined developer responses to formal verifier reports, noting a tendency to dismiss potential issues as false positives, which can lead to overlooked vulnerabilities. Our results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape. Notably, four vulnerabilities were fixed as a result of this study, demonstrating the effectiveness of our mitigation strategies.
Paper Structure (13 sections, 1 equation, 3 figures, 1 table)

This paper contains 13 sections, 1 equation, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Bounded Model Checking Technique
  4. LSVerifier Tool
  5. Methodology
  6. Vulnerability Detection Process
  7. Experiment Setup
  8. Empirical Study Results
  9. OSS Projects Exploitation
  10. RQ1: What are the Common Types and Prevalence of Dependency Vulnerabilities in Open-Source Software Projects?
  11. RQ2: How do developers' behaviors and practices influence the mitigation of security vulnerabilities?
  12. RQ3: What is the most effective strategy for mitigating risks from dependency vulnerabilities in open-source software projects?
  13. Conclusion

Figures (3)

  • Figure 1: The LSVerifier's verification process involves specifying source-code directory and configurations, including solver, encoding, and verification methods. Violations are categorized and reported in a detailed summary output.
  • Figure 2: ESBMC verifier approach. White rectangles represent input and output and gray rectangles represent the verification steps gadelha2021esbmc.
  • Figure 3: Verification methodology using LSVerifier.