Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects

Janislley Oliveira de Sousa, Bruno Carvalho De Farias, Eddie Batista de Lima Filho, Lucas Cordeiro

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

9 Downloads (Pure)

Abstract

This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation. Through analysis of OSS projects, we have identified common issues in outdated or unmaintained dependencies, including pointer dereferences and array bounds violations, that pose significant security risks. We have also examined developer responses to formal verifier reports, noting a tendency to dismiss potential issues as false positives, which can lead to overlooked vulnerabilities. Our results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape. Notably, four vulnerabilities were fixed as a result of this study, demonstrating the effectiveness of our mitigation strategies.
Original languageEnglish
Title of host publication24th Brazilian Symposium on Information and Computational Systems Security
Publication statusAccepted/In press - 8 Aug 2024

Fingerprint

Dive into the research topics of 'Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects'. Together they form a unique fingerprint.

Cite this