Sebastian Benthall
Ion Channel, ionchannel.io
UC Berkeley School of Information

Travis Pinney
Ion Channel, ionchannel.io
travis.pinney@ionchannel.io

JC Herz
jc.herz@ionchannel.io
Ion Channel, ionchannel.io

Kit Plummer
kit.plummer@ionchannel.io
Ion Channel, ionchannel.io

Video: https://youtu.be/6UnuPhTPdnM

Abstract

We approach the problem of software assurance in a novel way inspired by an analytic framework used in natural hazard risk mitigation. Existing approaches to software assurance focus on evaluating individual software projects in isolation. We demonstrate a technique that evaluates an entire ecosystem of software projects, taking into account the dependencey structure between packages. Our model analytically separates vulnerability and exposure as elements of software risk, then makes minimal assumptions about the propagation of these values through a software supply chain. Combined with data collected from package management systems, our model indicates \textquotedbl{}hot spots\textquotedbl{} in the ecosystem of higher expected risk. We demonstrate this model using data collected from the Python Package Index (PyPI). Our results suggest that Zope and Plone related projects carry the highest risk of all PyPI packages because they are widely used and their core libraries are no longer maintained.

Keywords

risk management, software dependencies, complex networks, software vulnerabilities, software security

DOI

10.25080/Majora-629e541a-012

Bibtex entry

Full text PDF

Copyright © 2016 Sebastian Benthall et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.