IRIS

Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire reposit...

A Screening Test for Disclosed Vulnerabilities in FOSS Components / Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio. - In: IEEE TRANSACTIONS ON SOFTWARE ENGINEERING. - ISSN 0098-5589. - STAMPA. - 45:10(2019), pp. 945-966. [10.1109/TSE.2018.2816033]

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi, Stanislav;Massacci, Fabio
2019-01-01

Abstract

Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire reposit...
2019
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
10
2-s2.0-85043768203
WOS:000502113300001
Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio
A Screening Test for Disclosed Vulnerabilities in FOSS Components / Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio. - In: IEEE TRANSACTIONS ON SOFTWARE ENGINEERING. - ISSN 0098-5589. - STAMPA. - 45:10(2019), pp. 945-966. [10.1109/TSE.2018.2816033]
File in questo prodotto:
File Dimensione Formato  
dashevskyi.ea-vulnerability-screening-2018.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.68 MB
Formato Adobe PDF
  Visualizza/Apri
1.68 MB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/228813
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 31
  • ???jsp.display-item.citation.isi??? 27
  • OpenAlex ND
social impact