An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

Ruohonen, Jukka

doi:10.1109/iwesep.2018.00013

Cited by 17 publications

(20 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) framework provide information about the severity of the vulnerabilities and the typical weaknesses behind these. As is well-known [24,30,43], it should be remarked that not all of the CVEs observed have CVSS and CWE entries in NVD due to delays and other database maintenance issues. In any case, the results regarding these frameworks are summarized in Fig.…”

Section: Severity and Weaknessesmentioning

confidence: 88%

“…The reason why NVD is sometimes slower may relate to the online sources monitored by WPVDB's maintainers for gaining information about plugin vulnerabilities. Like many [28,40], but not all [24], vulnerability databases, WPVDB provides hyperlinks to the original information sources. To illustrate the main sources, Fig.…”

Section: Overviewmentioning

confidence: 99%

“…[3]. While the answers to the question are still unclear, good progress has been made to better understand vulnerabilities within software ecosystems [24,40]. Recently, the issues examined have been further extended toward the security of ecosystems themselves [34].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Ruohonen

2019

Proceedings of the Evaluation and Assessment on Software Engineering

Self Cite

View full text Add to dashboard Cite

WordPress has long been the most popular content management system (CMS). This CMS powers millions and millions of websites. Although WordPress has had a particularly bad track record in terms of security, in recent years many of the well-known security risks have transmuted from the core WordPress to the numerous plugins and themes written for the CMS. Given this background, the paper analyzes known software vulnerabilities discovered from WordPress plugins. A demand-side viewpoint was used to motivate the analysis; the basic hypothesis is that plugins with large installation bases have been affected by multiple vulnerabilities. As the hypothesis also holds according to the empirical results, the paper contributes to the recent discussion about common security folklore. A few general insights are also provided about the relation between software vulnerabilities and software maintenance. CCS CONCEPTS• Security and privacy → Web application security;

show abstract

Section: Severity and Weaknessesmentioning

confidence: 88%

Section: Overviewmentioning

confidence: 99%

See 1 more Smart Citation

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Ruohonen

2019

Proceedings of the Evaluation and Assessment on Software Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…On a broader scope, the issues that emerge from our analysis can be seen as consequences of the black-box nature of software libraries. It is a known issue that the tendency of developers to include third-party code in their projects, without prior verification of its content, can lead to the inclusion of vulnerabilities or, in the worst case, of malicious code [10,33,43]. Indeed, in recent history, prominent package repositories for the Python and JavaScript languages have been the target of attacks that aimed to exploit the popularity of widely-used libraries [28,42].…”

Section: Discussionmentioning

confidence: 99%

Leave my apps alone!

Scoccia

Kanj

Malavolta

et al. 2020

Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

View full text Add to dashboard Cite

To enable app interoperability, the Android platform exposes installed application methods (IAMs), i.e., APIs that allow developers to query for the list of apps installed on a user's device. It is known that information collected through IAMs can be used to precisely deduce end-users interests and personal traits, thus raising privacy concerns. In this paper, we present a large-scale empirical study investigating the presence of IAMs in Android apps and their usage by Android developers. Our results highlight that: (i) IAMs are widely used in commercial applications while their popularity is limited in open-source ones; (ii) IAM calls are mostly performed in included libraries code; (iii) more than one-third of libraries that employ IAMs are advertisement libraries; (iv) a small number of popular advertisement libraries account for over 33% of all usages of IAMs by bundled libraries; (v) developers are not always aware that their apps include IAMs calls. Based on the collected data, we confirm the need to (i) revise the way IAMs are currently managed by the Android platform, introducing either an ad-hoc permission or an opt-out mechanism and (ii) improve both developers and end-users awareness with respect to the privacy-related concerns raised by IAMs.

show abstract

“…In 2018, Ruohonen [21] discussed and examines software vulnerabilities in common Python packages used particularly for web development. Their dataset is basically on the base of PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository.…”

Section: Literature Reviewmentioning

confidence: 99%