Print Email Facebook Twitter Vulnerability Risk Modelling in Open Source Software Systems Title Vulnerability Risk Modelling in Open Source Software Systems Author Heddes, Rens (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Zaidman, A.E. (mentor) Proksch, S. (graduation committee) Živković, M. (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science Date 2022-03-11 Abstract Recent large scale cyber security incidents such as the Equifax data breach, where the personal information of around 160 million Americans leaked, demonstrate the current risk of security vulnerabilities libraries which software projects depend on.The usage of libraries forms an integral part of modern software development and is a widespread practice across software projects.Libraries make it possible to use proven implementations of certain functionalities without duplicating it.However, this means the usage of libraries creates a set of dependencies for software projects.While using libraries allows for increased development speeds by reusing existing code, these dependencies can also propagate problems which exist in dependencies.Therefore, a security vulnerability in a dependency can have a major impact on the software project as a whole.Currently, there are analysers which perform a high level analysis which can identify vulnerable dependencies.However, these analysers are limited to the package level, where either a whole library is considered vulnerable or safe.In reality, the situation is often more nuanced, where only certain functions of a library pose a security risk.Considering the growing number of dependencies of software projects and the increasing number of vulnerability disclosure, the dependency update management process is currently a difficult task.Therefor a more fine-grained type of analysis could help developers in identifying and mitigating actual security risks.In this thesis, we propose a new risk modelling approach which uses fine grained analysis to concentrate these efforts as best as possible and increase security of software applications.Further we perform an extensive evaluation to compare it to existing risk approaches to investigate the accuracy of the proposed approach.We find that the new risk model is more accurate in prioritising risk mitigation strategies, with an average increase of 8% of current state of the art risk models.The model does require function level vulnerability information which does not exist for all disclosed vulnerabilities and is an active area of research. Subject Risk AnalysisvulnerabilitiesOpen sourceCVSSDependencies To reference this document use: http://resolver.tudelft.nl/uuid:4b3b172f-1c64-4ddf-9854-c74b62edee76 Part of collection Student theses Document type master thesis Rights © 2022 Rens Heddes Files PDF Thesis_Rens_Heddes.pdf 597.15 KB Close viewer /islandora/object/uuid:4b3b172f-1c64-4ddf-9854-c74b62edee76/datastream/OBJ/view