DocumentCode :
3694236
Title :
Impact assessment for vulnerabilities in open-source software libraries
Author :
Henrik Plate;Serena Elisa Ponta;Antonino Sabetta
Author_Institution :
SAP Labs France, Mougins, France
fYear :
2015
Firstpage :
411
Lastpage :
420
Abstract :
Software applications integrate more and more open-source software (OSS) to benefit from code reuse. As a drawback, each vulnerability discovered in bundled OSS may potentially affect the application that includes it. Upon the disclosure of every new vulnerability, the application vendor has to assess whether such vulnerability is exploitable in the particular usage context of the applications, and needs to determine whether customers require an urgent patch containing a non-vulnerable version of the OSS. Unfortunately, current decision making relies mostly on natural-language vulnerability descriptions and expert knowledge, and is therefore difficult, time-consuming, and error-prone. This paper proposes a novel approach to support the impact assessment based on the analysis of code changes introduced by security fixes. We describe our approach using an illustrative example and perform a comparison with both proprietary and open-source state-of-the-art solutions. Finally we report on our experience with a sample application and two industrial development projects.
Keywords :
"Libraries","Security","Runtime","Open source software","Java","Engines"
Publisher :
ieee
Conference_Titel :
Software Maintenance and Evolution (ICSME), 2015 IEEE International Conference on
Type :
conf
DOI :
10.1109/ICSM.2015.7332492
Filename :
7332492
Link To Document :
بازگشت