SlideShare a Scribd company logo
On the impact of security vulnerabilities in
the npm package dependency network
Alexandre Decan
Tom Mens
Eleni Constantinou
Replication package
https://doi.org/10.5281/zenodo.1193577
Motivation: HeartBleed bug
Introduced in 2010
• Allowed anyone on the Internet to read the
memory of the software systems
• Simple programming mistake
Discovered and traced in April 2014
• 0.5M servers certified by trusted authorities
were believed to be a affected
Motivation: Security
Vulnerabilities in OSS
• OSS widely used, even in commercial software
• Vulnerabilities often found years after their introduction
• Exploited vulnerabilities may compromise many dependent
applications
Motivation: Security Vulnerabilities in OSS
https://www.blackducksoftware.com/technology/vulnerability-reporting
time
Focus: Security vulnerabilities in
package dependency networks
Focus: Security vulnerabilities in
package dependency networks
Focus: Security vulnerabilities in
package dependency networks
Most packages depend
on another one.
~60% in April 2016
vulnerability dataset
Package metadata gathered
from libraries.io (automatically)
on November 2017
610,097 packages
Packages releases 4,202,099
Runtime package dependencies 20,240,402
vulnerability dataset
399 vulnerabilities
Affected packages 269
# releases of affected packages 14,931
# affected releases 6,752
Vulnerabilities gathered
from snyk.io (manually)
vulnerability dataset
399 vulnerabilities
Affected packages 269
# releases of affected packages 14,931
# affected releases 6,752
Vulnerabilities gathered
from snyk.io (manually)
How long do packages
remain vulnerable?
>40% of all vulnerabilities are still there after 2 years,
regardless of their severity.
How long do packages
remain vulnerable?
40% of all vulnerabilities are not fixed after 2 years,
regardless of their severity.
It takes a long time before vulnerabilities are
removed from a package.
When are vulnerabilities
fixed?
+ Most vulnerabilities are quickly fixed after their discovery.
- ~20% of vulnerabilities take more than 1 year to be fixed.
When are vulnerabilities
fixed?
Most vulnerabilities are fixed after the reported discovery
date but before they become public.
When are vulnerabilities
fixed?
Vulnerabilities must be fixed early/before
public announcement. Unmaintained
vulnerable packages should be deprecated.
Vulnerable packages
# vulnerable packages 269
# releases of vulnerable packages 14,931
# vulnerable releases 6,752
# dependent packages affected
by the vulnerable packages
72,470
To which extent do vulnerabilities
affect dependent packages?
Package maintainers must use security
monitoring tools, and adapt their dependency
constraints to automatically quickly benefit
from security fixes
To which extent do vulnerabilities
affect dependent packages?
A large fraction of affected dependent packages are not updated,
even if an upstream fix is available.
Status of affected dependents that are not yet fixed
To which extent do vulnerabilities
affect dependent packages?
Status of affected dependents that are not yet fixed
To which extent do vulnerabilities
affect dependent packages?
Main causes of not fixing a vulnerability in a dependent package:
• Improper or too restrictive use of dependency constraints
• Dependent package is no longer actively maintained
Only about half of all dependents are fixed before or at same time as upstream fix.
>33% of all affected dependents are not (yet) fixed!
To which extent do vulnerabilities
affect dependent packages?
Main causes of not fixing a vulnerability in a dependent package:
• Improper or too restrictive use of dependency constraints
• Dependent package is no longer actively maintained
To which extent do vulnerabilities
affect dependent packages?
Summary
• Vulnerabilities linger for a long time
until they are discovered
• One of of five security vulnerabilities
take more than 1 year to fix after its
discovery
• Many dependent packages do not
upgrade to security fixes in upstream
packages.
Solutions
• Better use of dependency
constraints and semantic
versioning
• Use security monitoring tools
• Deprecate unmaintained
obsolete packages
• Use better versioning and
security policies

More Related Content

What's hot

Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced Features
David Perkins
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
KACE End Point Security Update
KACE End Point Security UpdateKACE End Point Security Update
KACE End Point Security Update
kenross15
 
Endpoint Security
Endpoint Security Endpoint Security
Endpoint Security
Zack Fabro
 
Venkasure Antivirus + Internet Security
Venkasure Antivirus + Internet SecurityVenkasure Antivirus + Internet Security
Venkasure Antivirus + Internet Security
venkasureantivirus
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
David Perkins
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
September 2012 Security Vulnerability Session
September 2012 Security Vulnerability SessionSeptember 2012 Security Vulnerability Session
September 2012 Security Vulnerability Session
Kaseya
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
Centextech
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the Union
David Perkins
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
Cisco Canada
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
Ron Nixon
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
Lastline, Inc.
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190	Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190	Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
 

What's hot (20)

Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced Features
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
KACE End Point Security Update
KACE End Point Security UpdateKACE End Point Security Update
KACE End Point Security Update
 
Endpoint Security
Endpoint Security Endpoint Security
Endpoint Security
 
Venkasure Antivirus + Internet Security
Venkasure Antivirus + Internet SecurityVenkasure Antivirus + Internet Security
Venkasure Antivirus + Internet Security
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
September 2012 Security Vulnerability Session
September 2012 Security Vulnerability SessionSeptember 2012 Security Vulnerability Session
September 2012 Security Vulnerability Session
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the Union
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
70-272 Chapter10
70-272 Chapter1070-272 Chapter10
70-272 Chapter10
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190	Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190	Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
 

Similar to On the impact of security vulnerabilities in the npm package dependency network

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
Tom Mens
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
waleejhaider1
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Emerasoft, solutions to collaborate
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
Kieran Dundon
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tInfographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Sonatype
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and Risk
SecPod Technologies
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
DevOps.com
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 

Similar to On the impact of security vulnerabilities in the npm package dependency network (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tInfographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and Risk
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 

More from Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
Tom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
Tom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
Tom Mens
 
The (r)evolution of CI/CD on GitHub
 The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
Tom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
Tom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
Tom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
Tom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
Tom Mens
 

More from Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
 The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 

Recently uploaded

in vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptxin vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptx
yusufzako14
 
Seminar of U.V. Spectroscopy by SAMIR PANDA
 Seminar of U.V. Spectroscopy by SAMIR PANDA Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA
SAMIR PANDA
 
BLOOD AND BLOOD COMPONENT- introduction to blood physiology
BLOOD AND BLOOD COMPONENT- introduction to blood physiologyBLOOD AND BLOOD COMPONENT- introduction to blood physiology
BLOOD AND BLOOD COMPONENT- introduction to blood physiology
NoelManyise1
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Ana Luísa Pinho
 
In silico drugs analogue design: novobiocin analogues.pptx
In silico drugs analogue design: novobiocin analogues.pptxIn silico drugs analogue design: novobiocin analogues.pptx
In silico drugs analogue design: novobiocin analogues.pptx
AlaminAfendy1
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Sérgio Sacani
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
Richard Gill
 
Leaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdfLeaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdf
RenuJangid3
 
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
University of Maribor
 
Unveiling the Energy Potential of Marshmallow Deposits.pdf
Unveiling the Energy Potential of Marshmallow Deposits.pdfUnveiling the Energy Potential of Marshmallow Deposits.pdf
Unveiling the Energy Potential of Marshmallow Deposits.pdf
Erdal Coalmaker
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
Nistarini College, Purulia (W.B) India
 
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdfMudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
frank0071
 
role of pramana in research.pptx in science
role of pramana in research.pptx in sciencerole of pramana in research.pptx in science
role of pramana in research.pptx in science
sonaliswain16
 
S.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary levelS.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary level
ronaldlakony0
 
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
yqqaatn0
 
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Sérgio Sacani
 
platelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptxplatelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptx
muralinath2
 
Phenomics assisted breeding in crop improvement
Phenomics assisted breeding in crop improvementPhenomics assisted breeding in crop improvement
Phenomics assisted breeding in crop improvement
IshaGoswami9
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
moosaasad1975
 
Lateral Ventricles.pdf very easy good diagrams comprehensive
Lateral Ventricles.pdf very easy good diagrams comprehensiveLateral Ventricles.pdf very easy good diagrams comprehensive
Lateral Ventricles.pdf very easy good diagrams comprehensive
silvermistyshot
 

Recently uploaded (20)

in vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptxin vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptx
 
Seminar of U.V. Spectroscopy by SAMIR PANDA
 Seminar of U.V. Spectroscopy by SAMIR PANDA Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA
 
BLOOD AND BLOOD COMPONENT- introduction to blood physiology
BLOOD AND BLOOD COMPONENT- introduction to blood physiologyBLOOD AND BLOOD COMPONENT- introduction to blood physiology
BLOOD AND BLOOD COMPONENT- introduction to blood physiology
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
 
In silico drugs analogue design: novobiocin analogues.pptx
In silico drugs analogue design: novobiocin analogues.pptxIn silico drugs analogue design: novobiocin analogues.pptx
In silico drugs analogue design: novobiocin analogues.pptx
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
 
Leaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdfLeaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdf
 
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...
 
Unveiling the Energy Potential of Marshmallow Deposits.pdf
Unveiling the Energy Potential of Marshmallow Deposits.pdfUnveiling the Energy Potential of Marshmallow Deposits.pdf
Unveiling the Energy Potential of Marshmallow Deposits.pdf
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
 
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdfMudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
Mudde & Rovira Kaltwasser. - Populism - a very short introduction [2017].pdf
 
role of pramana in research.pptx in science
role of pramana in research.pptx in sciencerole of pramana in research.pptx in science
role of pramana in research.pptx in science
 
S.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary levelS.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary level
 
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
 
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
 
platelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptxplatelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptx
 
Phenomics assisted breeding in crop improvement
Phenomics assisted breeding in crop improvementPhenomics assisted breeding in crop improvement
Phenomics assisted breeding in crop improvement
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
 
Lateral Ventricles.pdf very easy good diagrams comprehensive
Lateral Ventricles.pdf very easy good diagrams comprehensiveLateral Ventricles.pdf very easy good diagrams comprehensive
Lateral Ventricles.pdf very easy good diagrams comprehensive
 

On the impact of security vulnerabilities in the npm package dependency network

  • 1. On the impact of security vulnerabilities in the npm package dependency network Alexandre Decan Tom Mens Eleni Constantinou Replication package https://doi.org/10.5281/zenodo.1193577
  • 2. Motivation: HeartBleed bug Introduced in 2010 • Allowed anyone on the Internet to read the memory of the software systems • Simple programming mistake Discovered and traced in April 2014 • 0.5M servers certified by trusted authorities were believed to be a affected
  • 3. Motivation: Security Vulnerabilities in OSS • OSS widely used, even in commercial software • Vulnerabilities often found years after their introduction • Exploited vulnerabilities may compromise many dependent applications
  • 4. Motivation: Security Vulnerabilities in OSS https://www.blackducksoftware.com/technology/vulnerability-reporting time
  • 5. Focus: Security vulnerabilities in package dependency networks
  • 6. Focus: Security vulnerabilities in package dependency networks
  • 7. Focus: Security vulnerabilities in package dependency networks
  • 8. Most packages depend on another one. ~60% in April 2016
  • 9. vulnerability dataset Package metadata gathered from libraries.io (automatically) on November 2017 610,097 packages Packages releases 4,202,099 Runtime package dependencies 20,240,402
  • 10. vulnerability dataset 399 vulnerabilities Affected packages 269 # releases of affected packages 14,931 # affected releases 6,752 Vulnerabilities gathered from snyk.io (manually)
  • 11. vulnerability dataset 399 vulnerabilities Affected packages 269 # releases of affected packages 14,931 # affected releases 6,752 Vulnerabilities gathered from snyk.io (manually)
  • 12. How long do packages remain vulnerable? >40% of all vulnerabilities are still there after 2 years, regardless of their severity.
  • 13. How long do packages remain vulnerable? 40% of all vulnerabilities are not fixed after 2 years, regardless of their severity. It takes a long time before vulnerabilities are removed from a package.
  • 14. When are vulnerabilities fixed? + Most vulnerabilities are quickly fixed after their discovery. - ~20% of vulnerabilities take more than 1 year to be fixed.
  • 15. When are vulnerabilities fixed? Most vulnerabilities are fixed after the reported discovery date but before they become public.
  • 16. When are vulnerabilities fixed? Vulnerabilities must be fixed early/before public announcement. Unmaintained vulnerable packages should be deprecated.
  • 17. Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages affected by the vulnerable packages 72,470 To which extent do vulnerabilities affect dependent packages?
  • 18. Package maintainers must use security monitoring tools, and adapt their dependency constraints to automatically quickly benefit from security fixes To which extent do vulnerabilities affect dependent packages?
  • 19. A large fraction of affected dependent packages are not updated, even if an upstream fix is available. Status of affected dependents that are not yet fixed To which extent do vulnerabilities affect dependent packages?
  • 20. Status of affected dependents that are not yet fixed To which extent do vulnerabilities affect dependent packages? Main causes of not fixing a vulnerability in a dependent package: • Improper or too restrictive use of dependency constraints • Dependent package is no longer actively maintained
  • 21. Only about half of all dependents are fixed before or at same time as upstream fix. >33% of all affected dependents are not (yet) fixed! To which extent do vulnerabilities affect dependent packages?
  • 22. Main causes of not fixing a vulnerability in a dependent package: • Improper or too restrictive use of dependency constraints • Dependent package is no longer actively maintained To which extent do vulnerabilities affect dependent packages?
  • 23. Summary • Vulnerabilities linger for a long time until they are discovered • One of of five security vulnerabilities take more than 1 year to fix after its discovery • Many dependent packages do not upgrade to security fixes in upstream packages.
  • 24. Solutions • Better use of dependency constraints and semantic versioning • Use security monitoring tools • Deprecate unmaintained obsolete packages • Use better versioning and security policies