Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) pose huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. For example, we find that certain SV types have a much higher proportion of CSVs, yet not receiving enough attention from the practitioners. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing process) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.
Thu 18 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
14:00 - 15:30 | Security and Privacy 1Ideas, Visions and Reflections / Industry Papers / Research Papers at Pitanga Chair(s): Gias Uddin York University, Canada | ||
14:00 18mTalk | Investigating Documented Privacy Changes in Android OS Research Papers Chuan Yan University of Queensland, Mark Huasong Meng National University of Singapore, Fuman Xie University of Queensland, Guangdong Bai University of Queensland | ||
14:18 9mTalk | A Preliminary Study on the Privacy Concerns of Using IP Addresses in Log Data Ideas, Visions and Reflections Issam Sedki Concordia University | ||
14:27 9mTalk | Personal Data-Less Personalized Software Applications Ideas, Visions and Reflections Sana Belguith University of Bristol, Inah Omoronyia University of Bristol, Ruzanna Chitchyan University of Bristol | ||
14:36 18mTalk | Your Code Secret Belongs to Me: Neural Code Completion Tools Can Memorize Hard-coded Credentials Research Papers Yizhan Huang The Chinese University of Hong Kong, Yichen LI The Chinese University of Hong Kong, Weibin Wu Sun Yat-sen University, Jianping Zhang The Chinese University of Hong Kong, Michael Lyu The Chinese University of Hong Kong | ||
14:54 18mTalk | Unveil the Mystery of Critical Software Vulnerabilities Industry Papers Shengyi Pan Zhejiang University, Lingfeng Bao Zhejiang University, Jiayuan Zhou Huawei, Xing Hu Zhejiang University, Xin Xia Huawei Technologies, Shanping Li Zhejiang University | ||
15:12 9mTalk | AgraBOT: Accelerating Third-Party Security Risk Management in Enterprise Setting Industry Papers Mert Toslali IBM Research, Edward Snible IBM Research, Jing Chen IBM Research, Alan Cha IBM Research, USA, Sandeep Singh IBM, Michael Kalantar IBM Research, Srinivasan Parthasarathy IBM Research | ||