"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

Wermke, Dominik; Klemmer, Jan H.; Wöhler, Noah; Juliane, Schmüser,; Ramulu, Harshini Sri; Acar, Yasemin; Fahl, Sascha

doi:10.1109/sp46215.2023.10179378

Cited by 5 publications

(1 citation statement)

References 57 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first analysis findings indicate that unsafe dependency updates are prevalent across all tiers within the ecosystem. Thus, our aim is to establish a close connection between unsafe practises and their alternatives, based on existing research that has explored the exploitability of code [26] and how practitioners are using OSS libraries in their code [33].…”

Section: Placing Safeguardsmentioning

confidence: 99%

Lessons from the Long Tail: Analysing Unsafe Dependency Updates across Software Ecosystems

Wattanakriengkrai,

Kula,

Treude

et al. 2023

Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Enginee

View full text Add to dashboard Cite

A risk in adopting third-party dependencies into an application is their potential to serve as a doorway for malicious code to be injected (most often unknowingly). While many initiatives from both industry and research communities focus on the most critical dependencies (i.e., those most depended upon within the ecosystem), little is known about whether the rest of the ecosystem suffers the same fate. Our vision is to promote and establish safer practises throughout the ecosystem. To motivate our vision, in this paper, we present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs) and identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime), which clearly shows that unsafe dependency updates are not limited to highly impactful libraries. To draw attention to the long tail, we propose a research agenda comprising six key research questions that further explore how to safeguard against these unsafe activities. This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the entire ecosystem.

show abstract

Section: Placing Safeguardsmentioning

confidence: 99%