extended-abstract

Estimating Security Risk Through Repository Mining

Author:
Tamas K. Lengyel

Intel Corporation, Santa Clara, CA, USA

Intel Corporation, Santa Clara, CA, USA

0009-0000-6814-1123
View Profile

SCORED '23: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem DefensesNovember 2023Pages 51–52https://doi.org/10.1145/3605770.3625210

Published:26 November 2023Publication History

SCORED '23: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Pages 51–52

ABSTRACT

As open-source projects are becoming ever more present throughout the modern computing stack, it is crucial to be able to quickly spot problematic, poorly maintained, or otherwise "risky" projects. The OSSF Scorecard has been introduced to address this need for fast security risk assessment by mining software repository metadata. We can reasonably expect a project with a CI system, code-reviews, and lots of users to be less risky than a project without those qualities. Since measuring security risk directly is difficult, we test a proxy hypothesis that these factors should also correlate with a reduction of bugs in software and test our hypothesis by scanning thousands of popular C & C++ projects with static analysis tools.

References

Istehad Chowdhury and Mohammad Zulkernine. 2011. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, Vol. 57, 3 (2011), 294--313.Google ScholarDigital Library
Intel. [n.,d.]. Scaling Repo Scanner (SRS). https://github.com/intel/srs.Google Scholar
LLVM.org. [n.,d.]. clang-tidy cognitive complexity. https://clang.llvm.org/extra/clang-tidy/checks/readability/function-cognitive-complexity.html.Google Scholar
Nuthan Munaiah, Felivel Camilo, Wesley Wigham, Andrew Meneely, and Meiyappan Nagappan. 2017. Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project. Empirical Software Engineering , Vol. 22 (2017), 1305--1347.Google ScholarDigital Library
Yonghee Shin and Laurie Williams. 2008. Is complexity really the enemy of software security?. In Proceedings of the 4th ACM workshop on Quality of protection. 47--50.Google ScholarDigital Library

Index Terms

Estimating Security Risk Through Repository Mining
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories

Recommendations

Security Risk Assessment: Managing Physical and Operational Security
Read More
A framework for estimating information security risk assessment method completeness

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among ...
Read More
Rethinking risk-based information security
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum development

Risk assessment in the insurance and financial industries use processes and empirical data created specifically for their needs. The risk assessment processes used by IT and information security (InfoSec) risk management do not work as well. The ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SCORED '23: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses
November 2023
111 pages
ISBN:9798400702631
DOI:10.1145/3605770
General Chairs:
Santiago Torres-Arias
Purdue University, USA
,
Marcela Melara
Intel Corporation, USA
,
Laurent Simon
Google Inc., USA
,
Program Chairs:
Nikos Vasilakis
Brown University
,
Kathleen Moriarty
Center for Internet Security
Copyright © 2023 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 November 2023
Check for updates
Author Tags
complexity analysis
ossf scorecard
security risk estimation
static analysis
Qualifiers
- extended-abstract
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 33
  Total Downloads
- Downloads (Last 12 months)33
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Estimating Security Risk Through Repository Mining

SCORED '23: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security Risk Assessment: Managing Physical and Operational Security

A framework for estimating information security risk assessment method completeness

Rethinking risk-based information security