Components with known vulnerabilities (#9 from OWASP Top 10 list of Web Application Security Risks) are the most frequent cause of severe security breaches. The famous examples are the Equifax breach due to an outdated Apache Struts library, the Panama Papers data leak due to an old unpatched version of Drupal, and the Ubuntu forum breach due to an outdated Forumrunner add-on. Still, developers often keep third-party components used in their projects outdated. To find the incentives of developers’ motivations for (not) updating dependencies of their projects, we interviewed developers of 25 different companies located in 9 countries and analysed their strategies for (i) selecting new dependencies, (ii) updating currently used dependencies, (iii) using automatic dependency management tools, and (iv) mitigating bugs and vulnerabilities for which there is no fixed dependency version. In this talk, we will share our observations of the influence of security concerns on the current dependency management practices and recommendations (both based on observations and direct developers’ recommendations) on how to address the lack of attention to the security of third-party components. Hence, the key takeaways of this talk are the following: – you will learn the current developers’ practices of managing software dependencies – you will discover the implications of the most popular dependency management strategies – you will have the ideas on how to adjust the dependency management of your software projects to make them more secure

Learning from Developers: How to Make Dependency Management Secure / Pashchenko, Ivan. - (2020).

Learning from Developers: How to Make Dependency Management Secure

Pashchenko, Ivan
2020-01-01

Abstract

Components with known vulnerabilities (#9 from OWASP Top 10 list of Web Application Security Risks) are the most frequent cause of severe security breaches. The famous examples are the Equifax breach due to an outdated Apache Struts library, the Panama Papers data leak due to an old unpatched version of Drupal, and the Ubuntu forum breach due to an outdated Forumrunner add-on. Still, developers often keep third-party components used in their projects outdated. To find the incentives of developers’ motivations for (not) updating dependencies of their projects, we interviewed developers of 25 different companies located in 9 countries and analysed their strategies for (i) selecting new dependencies, (ii) updating currently used dependencies, (iii) using automatic dependency management tools, and (iv) mitigating bugs and vulnerabilities for which there is no fixed dependency version. In this talk, we will share our observations of the influence of security concerns on the current dependency management practices and recommendations (both based on observations and direct developers’ recommendations) on how to address the lack of attention to the security of third-party components. Hence, the key takeaways of this talk are the following: – you will learn the current developers’ practices of managing software dependencies – you will discover the implications of the most popular dependency management strategies – you will have the ideas on how to adjust the dependency management of your software projects to make them more secure
2020
Online
SFScon
Learning from Developers: How to Make Dependency Management Secure / Pashchenko, Ivan. - (2020).
Pashchenko, Ivan
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/285414
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact